https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6 reports:
nghttp2 is an implementation of the Hypertext Transfer
Protocol version 2 in C. Prior to version 1.68.1, the
nghttp2 library stops reading the incoming data when user
facing public API `nghttp2_session_terminate_session` or
`nghttp2_session_terminate_session2` is called by the
application. They might be called internally by the
library when it detects the situation that is subject to
connection error. Due to the missing internal state
validation, the library keeps reading the rest of the data
after one of those APIs is called. Then receiving a
malformed frame that causes FRAME_SIZE_ERROR causes
assertion failure. nghttp2 v1.68.1 adds missing state
validation to avoid assertion failure. No known
workarounds are available.