Go HTTP/2 Infinity Loop from SETTINGS_MAX_FRAME_SIZE=0: CVE-2026-33814 May 2026

Go HTTP/2 Infinity Loop from SETTINGS_MAX_FRAME_SIZE=0
CVE-2026-33814 Published on May 7, 2026

Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Vulnerability Analysis

CVE-2026-33814 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

HIGH

Products Associated with CVE-2026-33814

Want to know whenever a new CVE is published for GoLang Go? stack.watch will email you.

Affected Versions

Before 0.53.0 is affected.

Before 1.25.10 is affected.

Version 1.26.0-0 and below 1.26.3 is affected.

Go HTTP/2 Infinity Loop from SETTINGS_MAX_FRAME_SIZE=0CVE-2026-33814 Published on May 7, 2026

Vulnerability Analysis

Products Associated with CVE-2026-33814

Affected Versions

Go HTTP/2 Infinity Loop from SETTINGS_MAX_FRAME_SIZE=0
CVE-2026-33814 Published on May 7, 2026