CVE-2026-54340
EUVD-2026-4507517.07.2026, 00:16
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.Enginsight
Awaiting analysis
This vulnerability is currently awaiting analysis.
Ubuntu Releases