CVE-2026-27141
Received Received - Intake
Nil Pointer Dereference in Go HTTP/2 Causes Server Panic

Publication date: 2026-02-26

Last updated on: 2026-02-27

Assigner: Go Project

Description
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27141
EUVD
EUVD-2026-8880
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang go to 0.51.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27141 is a vulnerability in the Go package "golang.org/x/net/http2" caused by a missing nil check when processing HTTP/2 frames with types in the range 0x0a to 0x0f.'}, {'type': 'paragraph', 'content': 'When the server receives such frames, it attempts to call a parser function that is nil due to unassigned frame types in the frameParsers array, leading to a runtime panic.'}, {'type': 'paragraph', 'content': 'This panic causes the running server to crash unexpectedly.'}] [1, 4]

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition.

By sending specially crafted HTTP/2 frames with types between 0x0a and 0x0f to a vulnerable Go server, an attacker can cause the server to panic and crash.

This can disrupt service availability, potentially affecting applications relying on the Go HTTP/2 server.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is triggered when a running Go HTTP/2 server receives frames with types in the range 0x0a to 0x0f, causing the server to panic due to a nil pointer dereference.

To detect this vulnerability on your system, you can monitor your Go HTTP/2 server logs for panic events or crashes related to nil pointer dereferences when processing HTTP/2 frames.

On the network level, you can capture HTTP/2 traffic and inspect frame types to see if any frames with types 0x0a to 0x0f are being sent to your server.

  • Use packet capture tools like tcpdump or Wireshark to capture traffic on the server port (usually 443 for HTTPS). Example command: tcpdump -i <interface> -w capture.pcap port 443
  • Analyze the captured traffic with Wireshark, filtering for HTTP/2 frames and checking for frame types 0x0a to 0x0f.
  • Check server logs for panic stack traces or error messages indicating a nil pointer dereference in the HTTP/2 frame processing code.
Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation is to update the affected Go package "golang.org/x/net/http2" to a fixed version that includes the patch for this vulnerability.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions from v0.50.0 up to but not including v0.51.0. Upgrading to v0.51.0 or later will apply the fix that adds a nil check and prevents the server panic.'}, {'type': 'paragraph', 'content': 'If an immediate upgrade is not possible, consider implementing network-level filtering to block or drop HTTP/2 frames with types in the range 0x0a to 0x0f to prevent triggering the panic.'}, {'type': 'paragraph', 'content': 'Monitor your server for crashes and consider restarting it promptly if a panic occurs to restore service availability.'}] [1, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27141. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart