PT-2026-60604 · H2O · H2O
CVE-2026-44453
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
h2o versions prior to commit 6b5370d
Description
A Denial of Service issue exists when the server serves static files. The software builds the file path on the stack using the
alloca() function. Under certain conditions, the memory allocated via alloca() can reach approximately 600KB, which exceeds the default pthread stack size of 128KB used by musl libc. This leads to a segmentation fault and a server crash when the process attempts to access the guard page (a memory page used to detect stack overflows).Recommendations
Update to the version containing commit 6b5370d.
Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
H2O