CVE-2026-55213
Publication date 13 July 2026
Last updated 13 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate an on-stack buffer as large as approximately 800 KB by calling alloca, which exceeds the default pthread stack size used by musl libc and causes the h2o server to crash with a segmentation fault while touching the guard page. This issue is fixed in commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| h2o | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| dnsdist | 26.04 LTS resolute |
Not affected
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Notes
hlibk
Before dnsdist version 1.8.2-2, dnsdist used system h2o. Between 1.8.2-2 and 1.9.0, dnsdist vendored h2o. After 1.9.0, dnsdist switched from using h2o to nghttp2 and now uses system nghttp2. Also, before 1.4.0 dns-over-https support was not implemented.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H