CVE-2026-55213
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH



