CVE-2026-44452
Publication date 17 July 2026
Last updated 17 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over the zero-length hostname while trying to copy the hostname, assuming that it is NULL-terminated. This is a potential denial-of-service attack vector in sense that it might trigger segmentation violation. This issue has been fixed by commit 8dc37cb.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| h2o | 26.04 LTS resolute | Not in release |
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| dnsdist | 26.04 LTS resolute |
Not affected
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
Notes
hlibk
Before dnsdist version 1.8.2-2, dnsdist used system h2o. Between 1.8.2-2 and 1.9.0, dnsdist vendored h2o. After 1.9.0, dnsdist switched from using h2o to nghttp2 and now uses system nghttp2. Also, before 1.4.0 dns-over-https support was not implemented.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.9 · Medium
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H