Skip to main content

h2o HTTP Server CVE-2026-44452

MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-16 security-advisories@github.com
5.9
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

AV:N for network-delivered TLS/QUIC handshake; AC:H because zero-length SNI requires non-standard packet crafting; PR:N and UI:N as pre-auth with no interaction; A:H for process crash; C:N and I:N per description and CVSS impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 23:31 vuln.today

DescriptionCVE.org

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over the zero-length hostname while trying to copy the hostname, assuming that it is NULL-terminated. This is a potential denial-of-service attack vector in sense that it might trigger segmentation violation. This issue has been fixed by commit 8dc37cb.

AnalysisAI

Denial-of-service via malformed TLS/QUIC ClientHello in h2o HTTP server allows remote unauthenticated attackers to crash the server process by sending a zero-length SNI extension. The hostname-copy routine assumes NULL-termination on the empty SNI buffer (CWE-125 out-of-bounds read), reading beyond the allocation boundary and triggering a segmentation fault. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft TLS ClientHello with zero-length SNI
Delivery
Send packet to h2o TLS or QUIC listener
Exploit
SNI hostname-copy routine reads past empty buffer
Execution
Out-of-bounds read triggers segmentation fault
Persist
h2o process crashes
Impact
Service unavailable

Vulnerability AssessmentAI

Exploitation Exploitation requires that the h2o server has at least one TLS (HTTPS) or QUIC (HTTP/3) listener active and network-reachable by the attacker; h2o instances serving only plain HTTP without TLS are not affected by this code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H captures the key tension: network-accessible and requiring no authentication or user interaction, but with High Attack Complexity - standard TLS client libraries do not emit zero-length SNI, so reliable exploitation requires crafting non-standard handshake packets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker crafts a TLS ClientHello packet with an SNI extension whose length field is set to zero and sends it to an h2o server's TLS or QUIC listener. The server's SNI hostname-copy routine reads past the empty buffer looking for a NULL terminator, triggering a segmentation fault that crashes the h2o process. …
Remediation The upstream fix is commit 8dc37cb1e6171f7f772667618ea440696fed82c3, available at https://github.com/h2o/h2o/commit/8dc37cb1e6171f7f772667618ea440696fed82c3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44452 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy