Stop nghttp2 DoS attacks (CVE-2026-27135) with a universal fix. Includes check commands for Ubuntu/Rocky/SUSE + a 15-min Docker lab.
In April 2026, SUSE released a fix for nghttp2 (CVE-2026-27135). But this isn't just about one date. HTTP/2 library assertion failures have happened before, and they will happen again. The real skill? Knowing how to detect, patch, and mitigate – no matter when the next one drops.
This guide gives you the commands and scripts to handle this specific flaw and the next one.
What's the problem?
nghttp2 is the library that powers HTTP/2 in many Linux apps (web servers, curl, browsers). CVE-2026-27135 is an assertion failure caused by missing state validation. A remote attacker sends a malformed HTTP/2 frame → the library hits an assertion → the application crashes (Denial of Service).
CVSS 7.5 (High) – network exploitable, low complexity, no auth needed.
nghttp2 is the library that powers HTTP/2 in many Linux apps (web servers, curl, browsers). CVE-2026-27135 is an assertion failure caused by missing state validation. A remote attacker sends a malformed HTTP/2 frame → the library hits an assertion → the application crashes (Denial of Service).
CVSS 7.5 (High) – network exploitable, low complexity, no auth needed.
Run these commands to see your nghttp2 version and whether you need the patch.
dpkg -l | grep libnghttp2 # Vulnerable: libnghttp2-14 < 1.52.0-1ubuntu0.2 # Fix: sudo apt update && sudo apt upgrade libnghttp2-14
Rocky Linux / AlmaLinux 8 / 9
rpm -q nghttp2 libnghttp2 # Check against your distro's CVE database dnf update --advisory RHEA-2026:1247 # example, use actual ID
SUSE 15 SP4, SP5 – the original affected systems)
zypper info libnghttp2-14 # Fixed version: 1.40.0-150200.22.1 or higher # Apply with: sudo zypper patch
Generic check (any distro)
# Find which package provides libnghttp2 ldconfig -p | grep nghttp2 # Then check package version with your package manager
Automation script to apply the fix
Save as fix-nghttp2-dos.sh – runs on Ubuntu, Rocky, SUSE.
#!/bin/bash # Evergreen nghttp2 assertion failure fix set -e # Detect distro if [ -f /etc/os-release ]; then . /etc/os-release OS=$ID VER=$VERSION_ID fi echo "=== Fixing nghttp2 assertion flaw on $OS ===" case $OS in ubuntu|debian) sudo apt update sudo apt install -y libnghttp2-14 sudo systemctl restart $(systemctl list-units --type=service | grep -E "nginx|apache2|httpd" | awk '{print $1}') ;; rocky|rhel|centos) sudo dnf update -y nghttp2 libnghttp2 sudo systemctl restart httpd nginx ;; suse|opensuse-leap) sudo zypper patch -y sudo systemctl restart apache2 nginx ;; *) echo "Unsupported OS. Update nghttp2 manually." exit 1 ;; esac echo "=== Verification ===" # Check for known vulnerable version patterns (simplified) if command -v nghttp > /dev/null; then nghttp -v 2>&1 | head -n1 fi echo "Fix applied. Monitor for crashes."
Alternative mitigation (if you can't update now)
No reboot, no maintenance window? Block the attack path.
1. iptables rule (rate limit new HTTP/2 connections)
# Limit new connections to 5 per second from any IP sudo iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 5/second -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j DROP
2. HAProxy / Nginx config (disable HTTP/2 temporarily)
Nginx:
# In your server block – fallback to HTTP/1.1 listen 443 ssl; # remove http2 # listen 443 ssl http2; # comment this out
HAProxy:
bind :443 ssl crt /path/to/cert.pem alpn h1 # remove h2
3. AppArmor profile (restrict nghttp2 library)
# Create /etc/apparmor.d/local/usr.sbin.nginx /usr/lib/*/libnghttp2*.so { deny /tmp/** rw, deny /proc/*/mem rw, } sudo systemctl reload apparmor
Hands-on Lab: Reproduce & Fix in 15 Minutes
Set up a safe test environment to see this crash yourself (or test your fix).
Requirements: Docker or LXC on any Linux box.
Step 1: Create vulnerable container
# Using Ubuntu 22.04 (has old nghttp2) docker run -it --name nghttp2-lab ubuntu:22.04 bash apt update && apt install -y nghttp2 curl gdb
Step 2: Simulate crash (conceptual)
In real life, the exploit sends a HEADERS frame with invalid padding. Since we don't have the PoC, we'll test assertion handling:
# Inside container – start a simple HTTP/2 server nghttpd -v 8080 /var/www/html & # Try to crash it with malformed frame using nghttp client nghttp -nv https://localhost:8080 --no-tls --header=":scheme: http" --header=":path: /" --data="`python3 -c 'print("A"*10000)'`" # Watch for "Assertion failed" in syslog dmesg | tail
Step 3: Apply the fix
# Outside container, commit and patch docker commit nghttp2-lab nghttp2:vulnerable # Update inside container apt update && apt upgrade -y libnghttp2-14 # Restart server and retest – no crash
Why you still need a proper HTTP/2 book
Patching blindly doesn't teach you HTTP/2 security. This vulnerability is subtle – state validation. Most sysadmins don't know the difference between HPACK decoding and stream concurrency.
Book: HTTP/2 in Action by Barry Pollard - Amazon .
Conclusion
You now have a reusable battle plan:
- Check your version with one command.
- Run the cross-distro script.
- Fall back to iptables or HTTP/1.1 if you're stuck.
- Lab it in Docker so you're ready for the next CVE.
Do this now: Subscribe to the Linux Security Weekly newsletter. Every Saturday you get:
- One automation script like the one above.
- One "lab of the week".
- Zero vendor hype.
Nenhum comentário:
Postar um comentário