apache · arturobernalg · Feb 24, 2026 · Feb 23, 2026
diff --git a/...ore5-h2/src/main/java/org/apache/hc/core5/http2/impl/nio/AbstractH2StreamMultiplexer.java b/...ore5-h2/src/main/java/org/apache/hc/core5/http2/impl/nio/AbstractH2StreamMultiplexer.java
@@ -772,6 +772,10 @@ private void consumeFrame(final RawFrame frame) throws HttpException, IOExceptio
         final FrameType frameType = FrameType.valueOf(frame.getType());
         final int streamId = frame.getStreamId() & 0x7fffffff;
 
+        // once the connection is active, the first frame from a peer after the preface MUST be SETTINGS.
+        if (connState == ConnectionHandshake.ACTIVE && remoteSettingState == SettingsHandshake.READY && frameType != FrameType.SETTINGS) {
+            throw new H2ConnectionException(H2Error.PROTOCOL_ERROR, "SETTINGS frame expected as first peer frame");
+        }
         if (continuation != null && frameType != FrameType.CONTINUATION) {
             throw new H2ConnectionException(H2Error.PROTOCOL_ERROR, "CONTINUATION frame expected");
         }
@@ -955,11 +959,15 @@ private void consumeFrame(final RawFrame frame) throws HttpException, IOExceptio
                     throw new H2ConnectionException(H2Error.PROTOCOL_ERROR, "Illegal stream id");
                 }
                 if (frame.isFlagSet(FrameFlag.ACK)) {
-                    // RFC 9113, Section 6.5: SETTINGS with ACK set MUST have an empty payload.
+                    // SETTINGS with ACK set MUST have an empty payload.
                     final ByteBuffer payload = frame.getPayload();
                     if (payload != null && payload.hasRemaining()) {
                         throw new H2ConnectionException(H2Error.FRAME_SIZE_ERROR, "Invalid SETTINGS ACK payload");
                     }
+                    // The first peer SETTINGS cannot be ACK.
+                    if (connState == ConnectionHandshake.ACTIVE && remoteSettingState == SettingsHandshake.READY) {
+                        throw new H2ConnectionException(H2Error.PROTOCOL_ERROR, "Illegal SETTINGS ACK");
+                    }
                     if (localSettingState == SettingsHandshake.TRANSMITTED) {
                         localSettingState = SettingsHandshake.ACKED;
                         ioSession.setEvent(SelectionKey.OP_WRITE);

diff --git a/...-h2/src/test/java/org/apache/hc/core5/http2/impl/nio/TestAbstractH2StreamMultiplexer.java b/...-h2/src/test/java/org/apache/hc/core5/http2/impl/nio/TestAbstractH2StreamMultiplexer.java
@@ -1889,4 +1889,46 @@ void testHeadersWithPriorityFlagAndShortPayloadRejected() throws Exception {
     }
 
 
+    @Test
+    void testFirstPeerFrameMustBeSettings() throws Exception {
+        final AbstractH2StreamMultiplexer mux = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.ODD,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                H2Config.custom().build(),
+                h2StreamListener,
+                () -> streamHandler);
+
+        mux.onConnect();
+
+        final RawFrame ping = new RawFrame(FrameType.PING.getValue(), 0, 0, ByteBuffer.wrap(new byte[8]));
+        final H2ConnectionException ex = Assertions.assertThrows(
+                H2ConnectionException.class,
+                () -> mux.onInput(ByteBuffer.wrap(encodeFrame(ping))));
+        Assertions.assertEquals(H2Error.PROTOCOL_ERROR, H2Error.getByCode(ex.getCode()));
+    }
+
+    @Test
+    void testFirstPeerSettingsAckRejected() throws Exception {
+        final AbstractH2StreamMultiplexer mux = new H2StreamMultiplexerImpl(
+                protocolIOSession,
+                FRAME_FACTORY,
+                StreamIdGenerator.ODD,
+                httpProcessor,
+                CharCodingConfig.DEFAULT,
+                H2Config.custom().build(),
+                h2StreamListener,
+                () -> streamHandler);
+
+        mux.onConnect();
+
+        final RawFrame settingsAck = new RawFrame(FrameType.SETTINGS.getValue(), FrameFlag.ACK.getValue(), 0, null);
+        final H2ConnectionException ex = Assertions.assertThrows(
+                H2ConnectionException.class,
+                () -> mux.onInput(ByteBuffer.wrap(encodeFrame(settingsAck))));
+        Assertions.assertEquals(H2Error.PROTOCOL_ERROR, H2Error.getByCode(ex.getCode()));
+    }
+
 }