Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
Summary
| CVE | CVE-2026-33814 |
|---|---|
| State | PUBLISHED |
| Assigner | Go |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-07 20:16:42 UTC |
| Updated | 2026-07-10 12:16:41 UTC |
| Description | When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000190000 probability, percentile 0.052620000 (date 2026-05-12)
Problem Types: CWE-835 | CWE-606 | CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') | CWE-606 Unchecked Input for Loop Condition
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Golang.orgxnet | Golang.org/x/net/http2 | affected 0.53.0 semver | Not specified |
| CNA | Go Standard Library | Net/http | affected 1.25.10 semver | Not specified |
| CNA | Go Standard Library | Net/http | affected 1.26.0-0 1.26.3 semver | Not specified |
| ADP | Red Hat | Cluster Observability Operator 1.5.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3.3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Service Mesh 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Openshift Data Foundation 4.22 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AI RHEL AI 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Virtualization 4 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:23262 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/issue/78476 | [email protected] | go.dev | Issue Tracking, Mailing List |
| go.dev/cl/761581 | [email protected] | go.dev | Patch |
| access.redhat.com/errata/RHSA-2026:34342 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37387 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| go.dev/cl/761640 | [email protected] | go.dev | Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33123 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:23264 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33120 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| groups.google.com/g/golang-announce/c/qcCIEXso47M | [email protected] | groups.google.com | Release Notes |
| access.redhat.com/security/cve/CVE-2026-33814 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33142 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| pkg.go.dev/vuln/GO-2026-4918 | [email protected] | pkg.go.dev | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:33150 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Marwan Atia ([email protected]) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-07T20:01:11.324Z | Reported to Red Hat. |
| ADP | 2026-05-07T19:41:17.631Z | Made public. |
Solutions
ADP: RHSA-2026:34342: Cluster Observability Operator 1.5.0
ADP: RHSA-2026:23262: Red Hat Hardened Images
ADP: RHSA-2026:23264: Red Hat Hardened Images
ADP: RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1
ADP: RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2
ADP: RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3
ADP: RHSA-2026:33120: Red Hat OpenShift Service Mesh 3
ADP: RHSA-2026:37387: Red Hat Openshift Data Foundation 4.22
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.