CVE-2026-54340

EUVD-2026-45075
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
h2o
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
resolute
dne
dnsdist
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
needs-triage
resolute
not-affected