CVE-2026-27141
Nil Pointer Dereference in Go HTTP/2 Causes Server Panic
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 0.51.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27141 is a vulnerability in the Go package "golang.org/x/net/http2" caused by a missing nil check when processing HTTP/2 frames with types in the range 0x0a to 0x0f.'}, {'type': 'paragraph', 'content': 'When the server receives such frames, it attempts to call a parser function that is nil due to unassigned frame types in the frameParsers array, leading to a runtime panic.'}, {'type': 'paragraph', 'content': 'This panic causes the running server to crash unexpectedly.'}] [1, 4]
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) condition.
By sending specially crafted HTTP/2 frames with types between 0x0a and 0x0f to a vulnerable Go server, an attacker can cause the server to panic and crash.
This can disrupt service availability, potentially affecting applications relying on the Go HTTP/2 server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered when a running Go HTTP/2 server receives frames with types in the range 0x0a to 0x0f, causing the server to panic due to a nil pointer dereference.
To detect this vulnerability on your system, you can monitor your Go HTTP/2 server logs for panic events or crashes related to nil pointer dereferences when processing HTTP/2 frames.
On the network level, you can capture HTTP/2 traffic and inspect frame types to see if any frames with types 0x0a to 0x0f are being sent to your server.
- Use packet capture tools like tcpdump or Wireshark to capture traffic on the server port (usually 443 for HTTPS). Example command: tcpdump -i <interface> -w capture.pcap port 443
- Analyze the captured traffic with Wireshark, filtering for HTTP/2 frames and checking for frame types 0x0a to 0x0f.
- Check server logs for panic stack traces or error messages indicating a nil pointer dereference in the HTTP/2 frame processing code.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation is to update the affected Go package "golang.org/x/net/http2" to a fixed version that includes the patch for this vulnerability.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions from v0.50.0 up to but not including v0.51.0. Upgrading to v0.51.0 or later will apply the fix that adds a nil check and prevents the server panic.'}, {'type': 'paragraph', 'content': 'If an immediate upgrade is not possible, consider implementing network-level filtering to block or drop HTTP/2 frames with types in the range 0x0a to 0x0f to prevent triggering the panic.'}, {'type': 'paragraph', 'content': 'Monitor your server for crashes and consider restarting it promptly if a panic occurs to restore service availability.'}] [1, 4]