Skip to content

Commit a160b72

Browse files
committed
Patch for CVE's identified in nghttp2
- patch for CVE-2026-27135. Signed-off-by: Unniche, BasavarajX <basavarajx.unniche@intel.com>
1 parent b91d630 commit a160b72

2 files changed

Lines changed: 110 additions & 1 deletion

File tree

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
From 5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1 Mon Sep 17 00:00:00 2001
2+
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
3+
Date: Wed, 18 Feb 2026 18:04:30 +0900
4+
Subject: [PATCH] Fix missing iframe->state validations to avoid assertion
5+
failure
6+
7+
---
8+
lib/nghttp2_session.c | 32 ++++++++++++++++++++++++++++++++
9+
1 file changed, 32 insertions(+)
10+
11+
diff --git a/lib/nghttp2/lib/nghttp2_session.c b/lib/nghttp2/lib/nghttp2_session.c
12+
index 51ed449..91a3960 100644
13+
--- a/lib/nghttp2/lib/nghttp2_session.c
14+
+++ b/lib/nghttp2/lib/nghttp2_session.c
15+
@@ -6027,6 +6027,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
16+
return rv;
17+
}
18+
19+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
20+
+ return (ssize_t)inlen;
21+
+ }
22+
+
23+
on_begin_frame_called = 1;
24+
25+
rv = session_process_headers_frame(session);
26+
@@ -6393,6 +6397,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
27+
if (nghttp2_is_fatal(rv)) {
28+
return rv;
29+
}
30+
+
31+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
32+
+ return (ssize_t)inlen;
33+
+ }
34+
}
35+
}
36+
37+
@@ -6649,6 +6657,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
38+
return rv;
39+
}
40+
41+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
42+
+ return (ssize_t)inlen;
43+
+ }
44+
+
45+
session_inbound_frame_reset(session);
46+
47+
break;
48+
@@ -6952,6 +6964,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
49+
if (nghttp2_is_fatal(rv)) {
50+
return rv;
51+
}
52+
+
53+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
54+
+ return (ssize_t)inlen;
55+
+ }
56+
} else {
57+
iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK;
58+
}
59+
@@ -7124,6 +7140,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
60+
if (nghttp2_is_fatal(rv)) {
61+
return NGHTTP2_ERR_CALLBACK_FAILURE;
62+
}
63+
+
64+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
65+
+ return (ssize_t)inlen;
66+
+ }
67+
}
68+
}
69+
}
70+
@@ -7204,6 +7224,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
71+
return rv;
72+
}
73+
74+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
75+
+ return (ssize_t)inlen;
76+
+ }
77+
+
78+
if (rv != 0) {
79+
busy = 1;
80+
81+
@@ -7222,6 +7246,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
82+
return rv;
83+
}
84+
85+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
86+
+ return (ssize_t)inlen;
87+
+ }
88+
+
89+
session_inbound_frame_reset(session);
90+
91+
break;
92+
@@ -7250,6 +7278,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
93+
return rv;
94+
}
95+
96+
+ if (iframe->state == NGHTTP2_IB_IGN_ALL) {
97+
+ return (ssize_t)inlen;
98+
+ }
99+
+
100+
session_inbound_frame_reset(session);
101+
102+
break;
103+
--
104+
2.34.1
105+

SPECS/fluent-bit/fluent-bit.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX
22
Name: fluent-bit
33
Version: 3.1.10
4-
Release: 4%{?dist}
4+
Release: 5%{?dist}
55
License: Apache-2.0
66
Vendor: Intel Corporation
77
Distribution: Edge Microvisor Toolkit
@@ -22,6 +22,7 @@ Patch8: CVE-2025-12970.patch
2222
Patch9: CVE-2025-12977.patch
2323
Patch10: CVE-2025-12969.patch
2424
Patch11: CVE-2025-62408.patch
25+
Patch12: CVE-2026-27135.patch
2526
BuildRequires: bison
2627
BuildRequires: cmake
2728
BuildRequires: cyrus-sasl-devel
@@ -191,6 +192,9 @@ install -m 644 %{modulename}.pp %{buildroot}%{_datadir}/selinux/packages/%{modul
191192
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
192193

193194
%changelog
195+
* Tue Apr 07 2026 Basavarajx unniche <basavarajx.unniche@intel.com - 3.1.10-5
196+
- Patch for CVE-2026-27135
197+
194198
* Mon Feb 23 2026 Lee Chee Yang <chee.yang.lee@intel.com> - 3.1.10-4
195199
- merge from Azure Linux 3.0.20260107-3.0
196200
- Patch for CVE-2025-62408

0 commit comments

Comments
 (0)