CVE-2026-55213
Received Received - Intake

HTTP/3 QPACK Stack Overflow in h2o Server

Vulnerability report for CVE-2026-55213, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
h2o h2o to edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the h2o HTTP server when processing QPACK instructions over HTTP/3. Specifically, before a certain code fix, the server could allocate a very large buffer (around 800 KB) on the stack using alloca. This allocation size exceeds the default pthread stack size used by musl libc, which leads to a stack overflow and causes the h2o server to crash with a segmentation fault when the guard page is accessed.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. Because the server crashes due to a segmentation fault caused by stack overflow, an attacker could potentially disrupt the availability of the h2o server by sending specially crafted QPACK instructions over HTTP/3.

Mitigation Strategies

To mitigate this vulnerability, update the h2o HTTP server to include the fix introduced in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1. This fix prevents the large on-stack buffer allocation that causes the server to crash.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart