CVE-2026-44453
Received Received - Intake

Denial of Service in h2o HTTP Server

Vulnerability report for CVE-2026-44453, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving static files, h2o builds the file path on stack, by calling alloca. The maximum size of the memory allocated using alloca can be as huge as ~600KB, which exceeds the default pthread stack size used by musl libc (128KB). If the amount of memory allocated by alloca exceeds the stack size, the h2o server crashes with a segmentation fault, while it tries to touch the guard page. This issue has been fixed by commit 6b5370d.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
monkey h2o to 6b5370d (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in h2o HTTP server allows a Denial of Service attack by exploiting a stack overflow when serving static files. The server uses alloca to allocate memory on the stack for file paths, which can reach up to 600KB. This exceeds the default pthread stack size in musl libc (128KB), causing a segmentation fault and server crash.

Detection Guidance

This vulnerability can be detected by monitoring for crashes in the h2o server process, particularly when serving static files. Check server logs for segmentation faults or stack overflow errors. No specific commands are provided in the context.

Impact Analysis

If exploited, this vulnerability can crash the h2o server, leading to downtime and unavailability of the services it provides. Attackers could send specially crafted requests to trigger the stack overflow, causing the server to stop responding.

Mitigation Strategies

Update h2o to the latest version that includes commit 6b5370d or later. Restart the h2o server after applying the patch. Monitor server stability after the update.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart