{"id":"GO-2026-4918","summary":"Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net","details":"When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.","aliases":["BIT-golang-2026-33814","CVE-2026-33814"],"modified":"2026-05-11T08:11:05.383192409Z","published":"2026-05-07T19:21:40Z","related":["CGA-v7v4-9r6p-x7fc"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4918","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://go.dev/cl/761581"},{"type":"FIX","url":"https://go.dev/cl/761640"},{"type":"REPORT","url":"https://go.dev/issue/78476"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/qcCIEXso47M"}],"affected":[{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.53.0"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["Transport.NewClientConn","Transport.RoundTrip","Transport.RoundTripOpt","clientConnPool.GetClientConn","clientConnReadLoop.processSettingsNoWrite","noDialClientConnPool.GetClientConn","noDialH2RoundTripper.NewClientConn","noDialH2RoundTripper.RoundTrip","unencryptedTransport.RoundTrip"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4918.json"}},{"package":{"name":"stdlib","ecosystem":"Go","purl":"pkg:golang/stdlib"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.25.10"},{"introduced":"1.26.0-0"},{"fixed":"1.26.3"}]}],"ecosystem_specific":{"imports":[{"symbols":["Client.CloseIdleConnections","Client.Do","Client.Get","Client.Head","Client.Post","Client.PostForm","ClientConn.Close","ClientConn.RoundTrip","Get","Head","Post","PostForm","Transport.CloseIdleConnections","Transport.NewClientConn","Transport.RoundTrip","http1ClientConn.Close","http1ClientConn.RoundTrip","http2Transport.NewClientConn","http2Transport.RoundTrip","http2Transport.RoundTripOpt","http2clientConnPool.GetClientConn","http2clientConnReadLoop.processSettingsNoWrite","http2noDialClientConnPool.GetClientConn","http2noDialH2RoundTripper.NewClientConn","http2noDialH2RoundTripper.RoundTrip","http2unencryptedTransport.RoundTrip"],"path":"net/http"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4918.json"}}],"schema_version":"1.7.5","credits":[{"name":"Marwan Atia (marwansamir688@gmail.com)"}]}