Unrated severityNVD Advisory· Published Jul 18, 2026
Debian h2o: h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to com…
CVE-2026-54340
Description
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, and depending on the configuration, additional limits are needed to bound decoded header state and prevent attack. This issue has been fixed by commit 9265bdd.
Affected products
1Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.