h2o HTTP Server CVE-2026-44452
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:N for network-delivered TLS/QUIC handshake; AC:H because zero-length SNI requires non-standard packet crafting; PR:N and UI:N as pre-auth with no interaction; A:H for process crash; C:N and I:N per description and CVSS impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over the zero-length hostname while trying to copy the hostname, assuming that it is NULL-terminated. This is a potential denial-of-service attack vector in sense that it might trigger segmentation violation. This issue has been fixed by commit 8dc37cb.
AnalysisAI
Denial-of-service via malformed TLS/QUIC ClientHello in h2o HTTP server allows remote unauthenticated attackers to crash the server process by sending a zero-length SNI extension. The hostname-copy routine assumes NULL-termination on the empty SNI buffer (CWE-125 out-of-bounds read), reading beyond the allocation boundary and triggering a segmentation fault. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the h2o server has at least one TLS (HTTPS) or QUIC (HTTP/3) listener active and network-reachable by the attacker; h2o instances serving only plain HTTP without TLS are not affected by this code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H captures the key tension: network-accessible and requiring no authentication or user interaction, but with High Attack Complexity - standard TLS client libraries do not emit zero-length SNI, so reliable exploitation requires crafting non-standard handshake packets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker crafts a TLS ClientHello packet with an SNI extension whose length field is set to zero and sends it to an h2o server's TLS or QUIC listener. The server's SNI hostname-copy routine reads past the empty buffer looking for a NULL terminator, triggering a segmentation fault that crashes the h2o process. … |
| Remediation | The upstream fix is commit 8dc37cb1e6171f7f772667618ea440696fed82c3, available at https://github.com/h2o/h2o/commit/8dc37cb1e6171f7f772667618ea440696fed82c3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today