nghttp2 vulnerability
Published: Wed, 06 May 2026 19:25
Summary
nghttp2 could be made to crash if it received specially crafted network traffic.
Details
USN-8233-1 fixed a vulnerability in nghttp2. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: Andrew MacPherson discovered that nghttp2 did not properly validate internal state when the session termination API was called. A remote attacker could possibly use this issue to cause nghttp2 to crash, resulting in a denial of service.
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu resolute
nghttp2→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y nghttp2
Most apt upgrades restart their service automatically. needrestart lists anything else.
libnghttp2-14→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libnghttp2-14
Most apt upgrades restart their service automatically. needrestart lists anything else.
libnghttp2-dev→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libnghttp2-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libnghttp2-doc→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libnghttp2-doc
Most apt upgrades restart their service automatically. needrestart lists anything else.
nghttp2→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y nghttp2
Most apt upgrades restart their service automatically. needrestart lists anything else.
nghttp2-client→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y nghttp2-client
Most apt upgrades restart their service automatically. needrestart lists anything else.
nghttp2-proxy→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y nghttp2-proxy
Most apt upgrades restart their service automatically. needrestart lists anything else.
nghttp2-server→1.68.0-2ubuntu0.1apt_upgradeStandard apt upgrade. Install 1.68.0-2ubuntu0.1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y nghttp2-server
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8233-2?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8233-2 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.