PT-2016-6161 · H2O · H2O

Tim Newsham

Published

2016-06-19

Updated

2021-04-19

CVE-2016-4817

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions H2O versions 1.7.3 and earlier H2O versions 2.x before 2.0.0-beta5

Description The issue is related to the mishandling of HTTP/2 disconnection in the lib/http2/connection.c file. This allows remote attackers to cause a denial of service, resulting in a use-after-free condition and application crash, or possibly execute arbitrary code via a crafted packet.

Recommendations For H2O versions 1.7.3 and earlier, update to version 1.7.3 or later. For H2O versions 2.x before 2.0.0-beta5, update to version 2.0.0-beta5 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2016-4817

Affected Products

H2O

PT-2016-6161 · H2O · H2O

CVE-2016-4817

Related Identifiers

Affected Products

References · 8