CVE-2026-44452
Received Received - Intake

Zero-Length SNI Handling Denial-of-Service in h2o

Vulnerability report for CVE-2026-44452, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over the zero-length hostname while trying to copy the hostname, assuming that it is NULL-terminated. This is a potential denial-of-service attack vector in sense that it might trigger segmentation violation. This issue has been fixed by commit 8dc37cb.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
h2o h2o to 8dc37cb (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-170 The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in h2o HTTP server occurs when a ClientHello message over TLS or QUIC contains a zero-length SNI extension. The server attempts to process this as a valid hostname, leading to a segmentation violation that could crash the service. This is a denial-of-service risk.

Detection Guidance

This vulnerability can be detected by checking the version of h2o running on your system. If the version is prior to commit 8dc37cb, the system is vulnerable. Run: h2o -v to check the version.

Impact Analysis

This vulnerability could cause the h2o server to crash, disrupting web services and making them unavailable to users. It may lead to service outages or degraded performance if exploited.

Mitigation Strategies

Upgrade h2o to a version that includes commit 8dc37cb or later. This fixes the zero-length SNI extension handling issue. Check the official h2o repository for the latest release.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44452. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart