Search CVE reports


Toggle filters

1 – 10 of 38 results


CVE-2026-54340

Medium priority
Needs evaluation

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling....

2 affected packages

h2o, dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
h2o Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
dnsdist Not affected Needs evaluation Not affected Not affected Not affected
Show less packages

CVE-2026-44453

Medium priority
Needs evaluation

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 6b5370d, h2o is vulnerable to a Denial of Service attack when calling alloca under certain conditions. When serving static files, h2o builds the...

2 affected packages

h2o, dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
h2o Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
dnsdist Not affected Needs evaluation Not affected Not affected Not affected
Show less packages

CVE-2026-44452

Medium priority
Needs evaluation

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 8dc37cb, when h2o receives a ClientHello message over TLS or QUIC and it contains a zero-length SNI extension, the h2o server runs over...

2 affected packages

h2o, dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
h2o Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
dnsdist Not affected Needs evaluation Not affected Not affected Not affected
Show less packages

CVE-2026-55213

Medium priority
Needs evaluation

h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit edd7a120bfc4af11ac0cbebce2a43cc1f93f9af1, when h2o processes a QPACK instruction sent from the peer over HTTP/3, lib/http3/qpack.c might allocate...

2 affected packages

h2o, dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
h2o Not in release Needs evaluation Needs evaluation Needs evaluation Needs evaluation
dnsdist Not affected Needs evaluation Not affected Not affected Not affected
Show less packages

CVE-2026-42004

Medium priority
Needs evaluation

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that...

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-40211

Medium priority
Needs evaluation

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be...

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-40210

Medium priority
Needs evaluation

An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-40209

Medium priority
Needs evaluation

An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is...

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-40208

Medium priority
Needs evaluation

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages

CVE-2026-40011

Medium priority
Needs evaluation

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be...

1 affected package

dnsdist

Package 26.04 LTS 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS
dnsdist Needs evaluation Needs evaluation Needs evaluation Needs evaluation Needs evaluation
Show less packages