CVE-2026-33814 | THREATINT

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

PUBLISHED Reserved 2026-03-23 | Published 2026-05-07 | Updated 2026-05-08 | Assigner Go

Problem types

CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Product status

Default status

unaffected

Any version before 0.53.0

affected

Default status

unaffected

Any version before 1.25.10

affected

1.26.0-0 (semver) before 1.26.3

affected

Credits

Marwan Atia (marwansamir688@gmail.com)

References

go.dev/cl/761581

go.dev/cl/761640

go.dev/issue/78476

groups.google.com/g/golang-announce/c/qcCIEXso47M

pkg.go.dev/vuln/GO-2026-4918

cve.org (CVE-2026-33814)

nvd.nist.gov (CVE-2026-33814)

Download JSON