PT-2026-60604 · H2O · H2O

CVE-2026-44453

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions h2o versions prior to commit 6b5370d
Description A Denial of Service issue exists when the server serves static files. The software builds the file path on the stack using the alloca() function. Under certain conditions, the memory allocated via alloca() can reach approximately 600KB, which exceeds the default pthread stack size of 128KB used by musl libc. This leads to a segmentation fault and a server crash when the process attempts to access the guard page (a memory page used to detect stack overflows).
Recommendations Update to the version containing commit 6b5370d.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44453
GHSA-RF9V-M59P-MQ84

Affected Products

H2O