CVE-2026-33814

Summary

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected Software

VendorProductVersion RangeStatus
golang.org/x/netgolang.org/x/net/http20 < 0.53.0affected
Go standard librarynet/http0 < 1.25.10affected
Go standard librarynet/http1.26.0-0 < 1.26.3affected

Weaknesses

  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame

Additional References

References