๐Ÿ” CVE Alert

CVE-2026-55213

HIGH 7.5

h2o: musl libc stack overflow (QPACK)

CVSS Score
7.5
EPSS Score
0.3%
EPSS Percentile
26th

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1.

CWE CWE-789
Vendor h2o
Product h2o
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for h2o h2o

Be the first to know when new high vulnerabilities affecting h2o h2o are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

h2o / h2o
< edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/h2o/h2o/security/advisories/GHSA-432c-8xmj-frmq github.com: https://github.com/h2o/h2o/commit/edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1