CVE-2026-55213

HTTP · h2o

The h2o HTTP server is vulnerable to memory exhaustion due to improper handling of excessive allocation requests, leading to potential denial-of-service.

Executive summary

An unauthenticated attacker can cause a denial-of-service condition in the h2o HTTP server by triggering excessive memory allocation requests.

Vulnerability

This vulnerability (CWE-789) occurs when the server fails to properly validate the size of memory allocation requests. An unauthenticated attacker can send crafted HTTP requests that force the server to allocate excessive memory, leading to a crash or service unavailability.

Business impact

The primary impact is the loss of service availability. For businesses relying on h2o as a web or proxy server, this vulnerability can be exploited to take down critical public-facing infrastructure. The CVSS score of 7.5 highlights the severity of the threat to service availability via a network-based attack vector.

Remediation

Immediate Action: Update to the latest version of h2o containing the fix (commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1).

Proactive Monitoring: Monitor server memory usage and process stability; alert on sudden spikes in resource consumption or frequent service restarts.

Compensating Controls: Deploy a WAF to inspect incoming HTTP requests for unusual size or malformed headers that may be indicative of an attempt to trigger large memory allocations.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Because this vulnerability allows for unauthenticated remote denial-of-service, it presents a significant risk to the uptime of web services. Administrators should prioritize updating their h2o installations to the version containing the commit fix to ensure robust protection against memory exhaustion attacks.