Lowkazu

Name of the Vulnerable Software and Affected Versions: h2o versions prior to the version containing commit 1ed32b2 Description: The issue affects h2o, an HTTP server that supports HTTP/1.x, HTTP/2, and HTTP/3. When configured as a reverse proxy, h2o may crash due to an assertion failure if HTTP/3 requests are cancelled by the client. This crash can be exploited to mount a Denial-of-Service attack. Although the standalone h2o server automatically restarts by default, minimizing the impact, concurrent HTTP requests will still be disrupted. Recommendations: To mitigate the issue, users may disable the use of HTTP/3 until a patch is available. Update to the version containing commit 1ed32b2 to resolve the issue.