FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

h2o -- stack overflow serving static files on musl libc

Affected packages
h2o < 20260609

Details

VuXML ID 644d5e6c-1bd9-4904-8440-16c04100a2e1
Discovery 2026-05-29
Entry 2026-06-11

h2o project reports:

When serving static files, h2o can allocate a file path on the stack using alloca. On systems using musl libc, a large allocation can exceed the default pthread stack size and crash the server, causing a denial of service.

[source]

References

CVE Name CVE-2026-44453
URL https://github.com/h2o/h2o/security/advisories/GHSA-rf9v-m59p-mq84

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.