CVE-2016-4817
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2016-4817
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4817.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2016-4817
- Published
- 2016-06-19T01:59:11.903Z
- Modified
- 2025-11-14T04:40:15.937625Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.
- References
Affected packages
Git / github.com/h2o/h2o
Affected ranges
- Type
- GIT
- Repo
- https://github.com/h2o/h2o
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.0.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.0-beta1
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.0-beta1
v1.5.0-beta2
v1.5.0-beta3
v1.5.0-beta4
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.0-beta1
v1.6.0-beta2
v1.7.0
v1.7.0-beta1
v1.7.0-beta2
v1.7.0-beta3
v1.7.0-beta4
v1.7.0-beta5
v1.7.1
v1.7.2
Database specific
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"329239125789124087182915064940731376125",
"266309510554630169712264012537103885330",
"197975614374828376140268295922414557673",
"88220809129850639336858084392335629537",
"264420450238353059047339551284803211427",
"105768331291502333328196447212649985142",
"101985462780240376266675775266166062940",
"16853485741457918660628260381936812258",
"288713173150179118716946275085263877024",
"289826459888828424977032830879727587397",
"60174033087969577437234742526071942338",
"199625314356774529948513761081529147428",
"209835943162243931517005908515314847205",
"274342591813652804326888717120840676412",
"60017146153803948156149809713385384696",
"61231778414654015687969942411931505954",
"323220998124955799820809640371820826541",
"83630824525165648455721562733994244144",
"29993085774509740062677308642609663815",
"188889563878087960953354398331796175930",
"129776294623353418334243229886839028024",
"12779954271799651926114189920953886087",
"328555839365560475332753126823504737131",
"75534149408212975149345679727818638341",
"309593389191819227610748371966607787432",
"28627878095721931108278994499449785225",
"71803716231536038745320003104207006781",
"289130918354319889562547388440406977231",
"275162912589252339225434569048670363574",
"291958405221619009527991290958432627218",
"295195926032936637007314322432550540456",
"192071179894503489437241386203404076195",
"280085862657928528487581404240480500535"
]
},
"source": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4",
"signature_type": "Line",
"target": {
"file": "lib/http2/connection.c"
},
"id": "CVE-2016-4817-59daa686",
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"function_hash": "9254488288664784072808278735934685341",
"length": 218.0
},
"source": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4",
"signature_type": "Function",
"target": {
"function": "close_connection",
"file": "lib/http2/connection.c"
},
"id": "CVE-2016-4817-5e1a9eba",
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"function_hash": "340094519555268223943403087251481593318",
"length": 325.0
},
"source": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4",
"signature_type": "Function",
"target": {
"function": "on_read",
"file": "lib/http2/connection.c"
},
"id": "CVE-2016-4817-c51e6c3b",
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"function_hash": "133981974142536589208943285040293713390",
"length": 1165.0
},
"source": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4",
"signature_type": "Function",
"target": {
"function": "parse_input",
"file": "lib/http2/connection.c"
},
"id": "CVE-2016-4817-d83e6edc",
"signature_version": "v1",
"deprecated": false
}
]