CVE-2021-43848 – Unititialized memory access in h2o

https://notcve.org/view.php?id=CVE-2021-43848

h2o is an open source http server. In code prior to the `8c0eca3` commit h2o may attempt to access uninitialized memory. When receiving QUIC frames in certain order, HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this vulnerability to send internal state of h2o to backend servers controlled by the attacker or third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain internal state of h2o. • https://github.com/h2o/h2o/commit/8c0eca3 https://github.com/h2o/h2o/security/advisories/GHSA-f9xw-j925-m4m4 • CWE-908: Use of Uninitialized Resource •