{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "0"
              },
              {
                "last_affected": "1.7.2"
              },
              {
                "introduced": "0"
              },
              {
                "last_affected": "2.0.0"
              }
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "822f6696f5a380d42b2125f3530e2ca997d16d95"
            },
            {
              "introduced": "0"
            },
            {
              "last_affected": "788d3dcf683f65acc43a0dd81a75d697574b7656"
            },
            {
              "fixed": "1c0808d580da09fdec5a9a74ff09e103ea058dd4"
            }
          ],
          "repo": "https://github.com/h2o/h2o",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.",
  "id": "CVE-2016-4817",
  "modified": "2026-04-01T23:09:59.246655668Z",
  "published": "2016-06-19T01:59:11.903Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://jvn.jp/en/jp/JVN87859762/index.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000091"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/h2o/h2o/pull/920"
    },
    {
      "type": "FIX",
      "url": "https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}