Alpine: multiple nghttp2 packages: security update to 1.68.1

high Tenable Self-Hosted Container Security Plugin ID 441054

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1,
the nghttp2 library stops reading the incoming data when user facing public API
`nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application.
They might be called internally by the library when it detects the situation that is subject to connection
error. Due to the missing internal state validation, the library keeps reading the rest of the data after
one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes
assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known
workarounds are available. (CVE-2026-27135)

Solution

Update the nghttp2 library and its related packages to version 1.68.1 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-27135

Plugin Details

Severity: High

ID: 441054

Version: Revision 1.2

Type: Local

Published: 5/4/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-27135

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-27135