High

Infinite loop DoS in Go HTTP/2 transport SETTINGS_MAX_FRAME_SIZE handling

IdentifiersCVE-2026-33814CWE-835· Loop with Unreachable Exit…

CVE-2026-33814 is a denial-of-service vulnerability in Go's HTTP/2 transport, referenced in net/http/internal/http2 in golang.org/x/net. When the client processes an HTTP/2 SETTINGS frame from a peer and receives SETTINGS_MAX_FRAME_SIZE with the invalid value 0, the transport can enter an infinite loop while writing CONTINUATION frames. The flaw is caused by improper validation of the received SETTINGS_MAX_FRAME_SIZE value before it is used by the HTTP/2 transport logic. A malicious HTTP/2 server can trigger this condition by sending the malformed SETTINGS parameter to a connecting client.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes the affected Go HTTP/2 client transport to loop indefinitely, resulting in denial of service through severe availability impact. The available information indicates no confidentiality or integrity impact; the primary consequence is that a malicious server can remotely consume client resources and prevent normal HTTP/2 communication.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by avoiding connections from Go clients to untrusted or attacker-controlled HTTP/2 servers, or disable/use alternatives to HTTP/2 where operationally feasible until patched. Network controls that restrict outbound client communication to trusted endpoints may also reduce exploitability. However, the authoritative mitigation in the provided content is to apply the fixed Go versions.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Go release that includes the HTTP/2 transport validation fix, specifically the security releases that added proper validation for received SETTINGS_MAX_FRAME_SIZE values, such as Go 1.26.3 or Go 1.25.10 as referenced in the provided content. The fix ensures that invalid SETTINGS_MAX_FRAME_SIZE values are rejected rather than driving the transport into an infinite loop.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GolangGoapplication

GolangHttp2application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app

msrc microsoftNews

May 10, 2026

CVE-2026-33814 - Security Update Guide - Microsoft - Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net

A denial-of-service vulnerability in Go's HTTP/2 transport handling where a malformed SETTINGS_MAX_FRAME_SIZE can trigger an infinite loop, causing loss of availability.

go dev blogNews

Mar 31, 2026

net/http/internal/http2: SETTINGS_MAX_FRAME_SIZE=0 causes Transport to loop infinitely · Issue #78476 · golang/go

A denial-of-service vulnerability in Go's HTTP/2 transport where a malicious server can trigger an infinite loop of CONTINUATION frame writes by sending an invalid SETTINGS_MAX_FRAME_SIZE value of 0.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity13

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33814

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33814

MITRE CWE · CWE-835

Loop with Unreachable Exit Condition…

pkg.go.dev/vuln/GO-2026-4918

Release Notes

groups.google.com/g/golang-announce/c/qcCIEXso47M

Mailing List

go.dev/issue/78476