Primary

Context

H2O QUIC State Exhaustion Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in the H2O HTTP server, specifically in versions through 2.3.0-beta, due to a state exhaustion issue in the QUIC stack (quicly) used by the server. When H2O is handling HTTP/3 requests, a remote attacker can exploit this vulnerability to gradually increase the memory usage of the QUIC stack, leading to memory exhaustion and causing H2O to crash. This vulnerability does not affect HTTP/1 or HTTP/2, as they do not utilize QUIC.

Impact

Exploitation of this vulnerability can cause H2O to terminate unexpectedly due to running out of available memory.

Remediation

To address this vulnerability, H2O users should update to version 2.3.0-beta or later. For those unable to upgrade, QUIC support can be disabled. Guidance on HTTP/3 configuration directives is available in the H2O documentation.

Added: Mar 11, 2026, 6:31 PM

Updated: Mar 11, 2026, 6:31 PM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

8.2

remediation

7.9

relevance

0.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

8.2

remediation

7.9

relevance

0.0

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

H2O QUIC State Exhaustion Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

h2o

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating