HIGHCVE-2026-33814Published 2026-05-07Modified 2026-05-08CNA Go

CVE-2026-33814: Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 0.53.0
Affected Products: 2

Fix available

0.53.01.25.101.26.3

Affected packages

golang.org/x/net / golang.org/x/net/http2
< 0.53.0 (from 0)
Go standard library / net/http
< 1.25.10 (from 0) · < 1.26.3 (from 1.26.0-0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

go.dev
go.dev
go.dev
groups.google.com
pkg.go.dev

Metrics

Fix available