Skip to main content

h2o CVE-2026-54340

HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-17 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity HTTP/2 request path (AV:N/AC:L/PR:N/UI:N); memory-exhaustion DoS gives A:H with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 00:30 vuln.today
Analysis Generated
Jul 17, 2026 - 00:30 vuln.today
CVE Published
Jul 17, 2026 - 00:16 cve.org
HIGH 7.5

DescriptionCVE.org

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.

AnalysisAI

Remote denial of service in the h2o HTTP server (all versions prior to commit 9265bdd) allows unauthenticated attackers to exhaust server memory by combining HPACK header-decompression amplification with Slowloris-style HTTP/2 stream stalling. By opening many streams that stall mid-request, an attacker forces the server to retain large volumes of amplified decoded header state, degrading or crashing the service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Open HTTP/2 connection to h2o
Delivery
Send amplified HPACK header sections
Exploit
Stall many concurrent streams
Execution
Retain unbounded decoded header state
Impact
Exhaust server memory / deny service

Vulnerability AssessmentAI

Exploitation The target must be serving HTTP/2, which is the specific protocol path where HPACK decompression and stream multiplexing exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, base 7.5) is internally consistent with the description: a network-reachable, low-complexity, unauthenticated attack whose sole impact is availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker opens an HTTP/2 connection to an internet-facing h2o server and initiates many concurrent streams, each carrying an HPACK-compressed field section that decompresses into a large volume of header state, then deliberately stalls the streams (Slowloris-style) without completing them. Because each stalled stream retains its amplified decoded header state and no hard limit bounds the total, memory consumption climbs until the server degrades or is exhausted. …
Remediation Upstream fix available (PR/commit); a released patched version is not independently confirmed from the provided data - update h2o to a build that includes commit 9265bdd9a996ed992681055e3996baf3e09d2063, which adds the H2O_HPACK_MAX_HEADERS_HARD_LIMIT (1000) hard cap and enforces the H2O_MAX_HEADERS soft limit in the HPACK decoder. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all production and staging systems to identify h2o deployments and versions in use, then prioritize those on vulnerable versions for remediation planning. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy