Intel

AIKIDO-2026-122075

h2 is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

59

Medium Risk

This Affects:

RUSTh2
0.1.0 - 0.4.14
Fixed in 0.4.15
Are you affected? Scan for Free

TL;DR

The HPACK header decoder inserts every decoded header field into an http::HeaderMap using append(). HeaderMap panics with a size-overflow expectation once its internal capacity is exceeded (around 24,576 unique entries), which is far below the default max_header_list_size budget. A peer that sends a single request or response carrying an absurd number of unique header fields triggers that panic, crashing the connection task and terminating service. The fix switches to try_append() so oversize header lists are rejected at the stream level with a reset instead of aborting.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses h2 to accept HTTP/2 traffic from untrusted peers without a small max_header_list_size (for example h2 used directly rather than through hyper, whose 16 KB default blocks the trigger).

Background info

h2 is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 0.4.14.

How to fix this

Upgrade the h2 library to the patch version.