FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- HTTP/2 state amplification denial of service

Affected packages
h2o < 20260609

Details

VuXML ID 35c57495-2231-4733-a66e-044f3dad8b21
Discovery 2026-06-04
Entry 2026-06-11

h2o project reports:

An HTTP/2 attack can combine HPACK decompression state amplification with stalled streams. Depending on server configuration, decoded header state can be retained by stalled streams, causing excessive memory use and denial of service.

[source]

References

URL https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb
URL https://github.com/h2o/h2o/security/advisories/GHSA-qcrr-wrhc-pgq9

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.