h2o CVE-2026-54340
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remote, unauthenticated, low-complexity HTTP/2 request path (AV:N/AC:L/PR:N/UI:N); memory-exhaustion DoS gives A:H with no confidentiality or integrity impact.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.
AnalysisAI
Remote denial of service in the h2o HTTP server (all versions prior to commit 9265bdd) allows unauthenticated attackers to exhaust server memory by combining HPACK header-decompression amplification with Slowloris-style HTTP/2 stream stalling. By opening many streams that stall mid-request, an attacker forces the server to retain large volumes of amplified decoded header state, degrading or crashing the service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be serving HTTP/2, which is the specific protocol path where HPACK decompression and stream multiplexing exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: a network-reachable, low-complexity, unauthenticated attack whose sole impact is availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker opens an HTTP/2 connection to an internet-facing h2o server and initiates many concurrent streams, each carrying an HPACK-compressed field section that decompresses into a large volume of header state, then deliberately stalls the streams (Slowloris-style) without completing them. Because each stalled stream retains its amplified decoded header state and no hard limit bounds the total, memory consumption climbs until the server degrades or is exhausted. … |
| Remediation | Upstream fix available (PR/commit); a released patched version is not independently confirmed from the provided data - update h2o to a build that includes commit 9265bdd9a996ed992681055e3996baf3e09d2063, which adds the H2O_HPACK_MAX_HEADERS_HARD_LIMIT (1000) hard cap and enforces the H2O_MAX_HEADERS soft limit in the HPACK decoder. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all production and staging systems to identify h2o deployments and versions in use, then prioritize those on vulnerable versions for remediation planning. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today