CVE-2026-33814
HTTP/2 SETTINGS_MAX_FRAME_SIZE Zero Value Infinite Loop in Go
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | From 1.27.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Go programming language's HTTP/2 transport implementation. When processing HTTP/2 SETTINGS frames, if the transport receives a SETTINGS_MAX_FRAME_SIZE value of 0, it enters an infinite loop of writing CONTINUATION frames.
How can this vulnerability impact me? :
The infinite loop of writing CONTINUATION frames caused by this vulnerability can lead to a denial-of-service (DoS) condition. A malicious server could exploit this to disrupt the normal operation of a client using the affected Go HTTP/2 transport.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when an HTTP/2 SETTINGS frame contains a SETTINGS_MAX_FRAME_SIZE value of 0, causing the transport to enter an infinite loop of writing CONTINUATION frames.
To detect this on your network or system, you can monitor HTTP/2 traffic for SETTINGS frames with a SETTINGS_MAX_FRAME_SIZE set to 0.
Using network packet capture tools like tcpdump or Wireshark, you can filter HTTP/2 SETTINGS frames and inspect the SETTINGS_MAX_FRAME_SIZE parameter.
- Example tcpdump command to capture HTTP/2 traffic: tcpdump -i <interface> -w capture.pcap 'tcp port 443'
- Use Wireshark to open the capture and filter for HTTP/2 SETTINGS frames, then check for SETTINGS_MAX_FRAME_SIZE with value 0.
Additionally, monitoring for abnormal continuous CONTINUATION frames being sent by the client could indicate the infinite loop condition.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Go standard library to a version that includes the fix for this vulnerability.
The fix validates the SETTINGS_MAX_FRAME_SIZE value to ensure it is not zero, preventing the infinite loop condition.
If updating is not immediately possible, consider implementing network-level protections to block or filter HTTP/2 SETTINGS frames with invalid SETTINGS_MAX_FRAME_SIZE values.
Monitoring and rate-limiting suspicious HTTP/2 traffic may also help mitigate denial-of-service attempts exploiting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.