CVE-2026-33814 — Vulnetix

CVE-2026-33814 PUBLISHED CVSS 8.699999809265137 HIGH

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

EPSS 0.02% · 5.1th percentile

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS Score

0.02%

5.1th percentile

Affected Products

Vendor	Product	Versions
golang.org/x/net	golang.org/x/net/http2	0
Go standard library	net/http	0, 1.26.0-0

Timeline

May 7, 2026 CVE Published
May 7, 2026 PoC Published
May 8, 2026 CVE Updated
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://pkg.go.dev/vuln/GO-2026-4918 technical
https://go.dev/cl/761581 url
https://go.dev/cl/761640 url
https://go.dev/issue/78476 url
https://groups.google.com/g/golang-announce/c/qcCIEXso47M url

Open in Interactive Console →