Skip to main content

h2o CVE-2026-44453

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-16 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.9 MEDIUM

Network, unauthenticated, no interaction, availability-only crash; AC:H because exploitation depends on the non-default musl-libc build with a 128KB stack.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 23:30 vuln.today
CVE Published
Jul 16, 2026 - 23:16 cve.org
HIGH 7.5

DescriptionCVE.org

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving static files, h2o builds the file path on stack, by calling alloca. The maximum size of the memory allocated using alloca can be as huge as ~600KB, which exceeds the default pthread stack size used by musl libc (128KB). If the amount of memory allocated by alloca exceeds the stack size, the h2o server crashes with a segmentation fault, while it tries to touch the guard page. This issue has been fixed by commit 6b5370d.

AnalysisAI

Denial of service in the h2o HTTP server (all versions prior to commit 6b5370d) allows remote unauthenticated attackers to crash the server by requesting static files whose on-stack path construction via alloca can reach ~600KB, exceeding musl libc's default 128KB pthread stack and triggering a guard-page segmentation fault. The flaw is a CWE-770 uncontrolled resource allocation issue affecting availability only (CVSS 7.5, A:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed h2o static-file endpoint
Delivery
Craft request maximizing on-stack path length
Exploit
alloca allocates ~600KB beyond 128KB musl stack
Execution
Write touches guard page
Impact
Worker segfaults, service denied

Vulnerability AssessmentAI

Exploitation Exploitation requires that (1) h2o is serving static files via the code path that builds the file path on the stack using alloca, and (2) the h2o binary is compiled against musl libc, whose 128KB default pthread stack is smaller than the up-to-~600KB alloca allocation - this is the decisive precondition (glibc builds with larger default stacks are effectively not exploitable). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) indicates a network-reachable, unauthenticated, no-interaction attack with high availability impact and no confidentiality or integrity impact - a pure crash/DoS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends an HTTP request to an h2o server (built against musl libc) crafted so that the static-file path built on the stack via alloca approaches ~600KB, exceeding the 128KB thread stack. The write into the guard page faults and the h2o worker crashes with a segmentation fault, dropping service for all clients. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the change from commit 6b5370d9d09fcf83aa7620ddf77de1954a192181 (https://github.com/h2o/h2o/commit/6b5370d9d09fcf83aa7620ddf77de1954a192181) by rebuilding h2o from a source tree that includes it, or upgrade to a distribution/package build that incorporates it once released. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running h2o and flag instances on musl libc environments (Alpine, containerized deployments); implement monitoring for server crashes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44453 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy