Homepage

Reachable Assertion The advisory has been revoked - it doesn't affect any version of package nodejs24-devel  (opens in a new tab)

Threat Intelligence

EPSS
0.02% (4th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL10-NODEJS24DEVEL-15744645
  • published22 Mar 2026
  • disclosed18 Mar 2026
Report a new vulnerability Found a mistake?

Introduced: 18 Mar 2026

NewCVE-2026-27135  (opens in a new tab)
CWE-617  (opens in a new tab)

Amendment

The Red Hat security team deemed this advisory irrelevant for RHEL:10.

NVD Description

Note: Versions mentioned in the description apply only to the upstream nodejs24-devel package and not the nodejs24-devel package as distributed by RHEL.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.