CVE-2026-33814
Awaiting Analysis Awaiting Analysis - Queue
HTTP/2 SETTINGS_MAX_FRAME_SIZE Zero Value Infinite Loop in Go

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: Go Project

Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-33814
EUVD
EUVD-2026-28420
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang go From 1.27.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Go programming language's HTTP/2 transport implementation. When processing HTTP/2 SETTINGS frames, if the transport receives a SETTINGS_MAX_FRAME_SIZE value of 0, it enters an infinite loop of writing CONTINUATION frames.

Impact Analysis

The infinite loop of writing CONTINUATION frames caused by this vulnerability can lead to a denial-of-service (DoS) condition. A malicious server could exploit this to disrupt the normal operation of a client using the affected Go HTTP/2 transport.

Detection Guidance

This vulnerability occurs when an HTTP/2 SETTINGS frame contains a SETTINGS_MAX_FRAME_SIZE value of 0, causing the transport to enter an infinite loop of writing CONTINUATION frames.

To detect this on your network or system, you can monitor HTTP/2 traffic for SETTINGS frames with a SETTINGS_MAX_FRAME_SIZE set to 0.

Using network packet capture tools like tcpdump or Wireshark, you can filter HTTP/2 SETTINGS frames and inspect the SETTINGS_MAX_FRAME_SIZE parameter.

  • Example tcpdump command to capture HTTP/2 traffic: tcpdump -i <interface> -w capture.pcap 'tcp port 443'
  • Use Wireshark to open the capture and filter for HTTP/2 SETTINGS frames, then check for SETTINGS_MAX_FRAME_SIZE with value 0.

Additionally, monitoring for abnormal continuous CONTINUATION frames being sent by the client could indicate the infinite loop condition.

Mitigation Strategies

Immediate mitigation involves updating the Go standard library to a version that includes the fix for this vulnerability.

The fix validates the SETTINGS_MAX_FRAME_SIZE value to ensure it is not zero, preventing the infinite loop condition.

If updating is not immediately possible, consider implementing network-level protections to block or filter HTTP/2 SETTINGS frames with invalid SETTINGS_MAX_FRAME_SIZE values.

Monitoring and rate-limiting suspicious HTTP/2 traffic may also help mitigate denial-of-service attempts exploiting this vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33814. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart