h2o CVE-2026-44453
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network, unauthenticated, no interaction, availability-only crash; AC:H because exploitation depends on the non-default musl-libc build with a 128KB stack.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving static files, h2o builds the file path on stack, by calling alloca. The maximum size of the memory allocated using alloca can be as huge as ~600KB, which exceeds the default pthread stack size used by musl libc (128KB). If the amount of memory allocated by alloca exceeds the stack size, the h2o server crashes with a segmentation fault, while it tries to touch the guard page. This issue has been fixed by commit 6b5370d.
AnalysisAI
Denial of service in the h2o HTTP server (all versions prior to commit 6b5370d) allows remote unauthenticated attackers to crash the server by requesting static files whose on-stack path construction via alloca can reach ~600KB, exceeding musl libc's default 128KB pthread stack and triggering a guard-page segmentation fault. The flaw is a CWE-770 uncontrolled resource allocation issue affecting availability only (CVSS 7.5, A:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that (1) h2o is serving static files via the code path that builds the file path on the stack using alloca, and (2) the h2o binary is compiled against musl libc, whose 128KB default pthread stack is smaller than the up-to-~600KB alloca allocation - this is the decisive precondition (glibc builds with larger default stacks are effectively not exploitable). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) indicates a network-reachable, unauthenticated, no-interaction attack with high availability impact and no confidentiality or integrity impact - a pure crash/DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP request to an h2o server (built against musl libc) crafted so that the static-file path built on the stack via alloca approaches ~600KB, exceeding the 128KB thread stack. The write into the guard page faults and the h2o worker crashes with a segmentation fault, dropping service for all clients. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from commit 6b5370d9d09fcf83aa7620ddf77de1954a192181 (https://github.com/h2o/h2o/commit/6b5370d9d09fcf83aa7620ddf77de1954a192181) by rebuilding h2o from a source tree that includes it, or upgrade to a distribution/package build that incorporates it once released. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems running h2o and flag instances on musl libc environments (Alpine, containerized deployments); implement monitoring for server crashes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today