{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33814","assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","state":"PUBLISHED","assignerShortName":"Go","dateReserved":"2026-03-23T20:35:32.814Z","datePublished":"2026-05-07T19:41:17.631Z","dateUpdated":"2026-07-08T12:05:50.420Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go","dateUpdated":"2026-05-07T19:41:17.631Z"},"title":"Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net","descriptions":[{"lang":"en","value":"When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."}],"affected":[{"vendor":"golang.org/x/net","product":"golang.org/x/net/http2","collectionURL":"https://pkg.go.dev","packageName":"golang.org/x/net/http2","versions":[{"version":"0","lessThan":"0.53.0","status":"affected","versionType":"semver"}],"programRoutines":[{"name":"clientConnReadLoop.processSettingsNoWrite"},{"name":"Transport.NewClientConn"},{"name":"Transport.RoundTrip"},{"name":"Transport.RoundTripOpt"},{"name":"clientConnPool.GetClientConn"},{"name":"noDialClientConnPool.GetClientConn"},{"name":"noDialH2RoundTripper.NewClientConn"},{"name":"noDialH2RoundTripper.RoundTrip"},{"name":"unencryptedTransport.RoundTrip"}],"defaultStatus":"unaffected"},{"vendor":"Go standard library","product":"net/http","collectionURL":"https://pkg.go.dev","packageName":"net/http","versions":[{"version":"0","lessThan":"1.25.10","status":"affected","versionType":"semver"},{"version":"1.26.0-0","lessThan":"1.26.3","status":"affected","versionType":"semver"}],"programRoutines":[{"name":"http2clientConnReadLoop.processSettingsNoWrite"},{"name":"Client.CloseIdleConnections"},{"name":"Client.Do"},{"name":"Client.Get"},{"name":"Client.Head"},{"name":"Client.Post"},{"name":"Client.PostForm"},{"name":"ClientConn.Close"},{"name":"ClientConn.RoundTrip"},{"name":"Get"},{"name":"Head"},{"name":"Post"},{"name":"PostForm"},{"name":"Transport.CloseIdleConnections"},{"name":"Transport.NewClientConn"},{"name":"Transport.RoundTrip"},{"name":"http1ClientConn.Close"},{"name":"http1ClientConn.RoundTrip"},{"name":"http2Transport.NewClientConn"},{"name":"http2Transport.RoundTrip"},{"name":"http2Transport.RoundTripOpt"},{"name":"http2clientConnPool.GetClientConn"},{"name":"http2noDialClientConnPool.GetClientConn"},{"name":"http2noDialH2RoundTripper.NewClientConn"},{"name":"http2noDialH2RoundTripper.RoundTrip"},{"name":"http2unencryptedTransport.RoundTrip"}],"defaultStatus":"unaffected"}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}]}],"references":[{"url":"https://go.dev/cl/761581"},{"url":"https://go.dev/cl/761640"},{"url":"https://go.dev/issue/78476"},{"url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"},{"url":"https://pkg.go.dev/vuln/GO-2026-4918"}],"credits":[{"lang":"en","value":"Marwan Atia (marwansamir688@gmail.com)"}]},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.5,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-05-08T18:00:53.951676Z","id":"CVE-2026-33814","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-08T18:01:02.989Z"}},{"affected":[{"cpes":["cpe:/a:redhat:cluster_observability_operator:1.5::el9"],"defaultStatus":"affected","product":"Cluster Observability Operator 1.5.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.0::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.1::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.2::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:3.3::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Service Mesh 3.3","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux_ai:3"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AI (RHEL AI) 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:container_native_virtualization:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Virtualization 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_mesh:2"],"defaultStatus":"unaffected","product":"OpenShift Service Mesh 2","vendor":"Red Hat"}],"datePublic":"2026-05-07T19:41:17.631Z","descriptions":[{"lang":"en","value":"A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-606","description":"Unchecked Input for Loop Condition","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-33814"},{"name":"RHBZ#2467815","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2467815"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34342"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23262"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23264"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:33120"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:33123"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:33142"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:33150"}],"solutions":[{"lang":"en","value":"RHSA-2026:34342: Cluster Observability Operator 1.5.0"},{"lang":"en","value":"RHSA-2026:23262: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:23264: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"},{"lang":"en","value":"RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"},{"lang":"en","value":"RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"},{"lang":"en","value":"RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"}],"timeline":[{"lang":"en","time":"2026-05-07T20:01:11.324Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-07T19:41:17.631Z","value":"Made public."}],"title":"net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-08T12:05:50.420Z"}}]}}