CVE-2026-33814

Published: May 7, 2026

Modified: May 8, 2026

PUBLISHED

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Vendor	Product	Versions
golang.org/x/net	golang.org/x/net/http2	affected `0 - < 0.53.0`
Go standard library	net/http	affected `0 - < 1.25.10` affected `1.26.0-0 - < 1.26.3`

References

https://go.dev/cl/761581

https://go.dev/cl/761640

https://go.dev/issue/78476

https://groups.google.com/g/golang-announce/c/qcCIEXso47M

https://pkg.go.dev/vuln/GO-2026-4918

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33814

Description

Affected Products

References