CVE-2026-54340
Received Received - Intake

HTTP/2 State Amplification in h2o

Vulnerability report for CVE-2026-54340, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
h2o h2o to 8dc37cb (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54340 is a high-severity HTTP/2 state amplification vulnerability in the H2O web server. It combines HPACK decompression amplification with Slowloris-style stream stalling, allowing attackers to retain amplified decoded header state in stalled streams. This can lead to excessive memory consumption and denial of service.

Detection Guidance

Detecting this vulnerability requires checking if your H2O server version is vulnerable. Use the command: h2o -v to check the version. If the version is before commit 9265bdd, the system is vulnerable. Monitor network traffic for Slowloris-style attacks or excessive header processing using tools like Wireshark or tcpdump to capture HTTP/2 traffic patterns.

Impact Analysis

This vulnerability allows remote attackers to exploit network access with low complexity, potentially causing denial of service by consuming excessive server resources. It requires no privileges or user interaction, making it easy to exploit.

Compliance Impact

This vulnerability primarily impacts availability by enabling denial-of-service attacks through HTTP/2 state amplification. While it does not directly expose or leak data, prolonged service disruption could violate availability requirements in GDPR (Article 32) and HIPAA (Security Rule Β§164.312). Organizations must ensure patched versions are deployed to maintain compliance with these standards.

Mitigation Strategies

Immediately update H2O to commit 9265bdd or later. If updating is not possible, apply the provided patches from commit 9265bdd. Configure the new limits in the H2O configuration file: set H2O_HPACK_MAX_HEADERS_HARD_LIMIT to 1000, H2O_MAX_HEADERS to 100, and H2O_MAX_REQLEN to 8192 + 4096 * headers. Restart the H2O service after changes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54340. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart