Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for golang.org/x/net/http2 by golang.org/x/net

    CVE-2026-33814 (GCVE-0-2026-33814)

    Vulnerability from nvd – Published: 2026-05-07 19:41 – Updated: 2026-07-02 12:05
    VLAI
    Title
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
    Summary
    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    • CWE-606 - Unchecked Input for Loop Condition
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.53.0 (semver)
    Create a notification for this product.
    Go standard library net/http Affected: 0 , < 1.25.10 (semver)
    Affected: 1.26.0-0 , < 1.26.3 (semver)
    Create a notification for this product.
    Red Hat Cluster Observability Operator 1.5.0     cpe:/a:redhat:cluster_observability_operator:1.5::el9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.0     cpe:/a:redhat:service_mesh:3.0::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.1     cpe:/a:redhat:service_mesh:3.1::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.2     cpe:/a:redhat:service_mesh:3.2::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.3     cpe:/a:redhat:service_mesh:3.3::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Credits
    Marwan Atia (marwansamir688@gmail.com)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T18:00:53.951676Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T18:01:02.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cluster Observability Operator 1.5.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.0::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.1::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T19:41:17.631Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-606",
                    "description": "Unchecked Input for Loop Condition",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:05:19.070Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33814"
              },
              {
                "name": "RHBZ#2467815",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467815"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34342"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23262"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23264"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33120"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33142"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33150"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23262: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23264: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T20:01:11.324Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T19:41:17.631Z",
                "value": "Made public."
              }
            ],
            "title": "net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "clientConnReadLoop.processSettingsNoWrite"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "unencryptedTransport.RoundTrip"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.53.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2clientConnReadLoop.processSettingsNoWrite"
                },
                {
                  "name": "Client.CloseIdleConnections"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "http1ClientConn.Close"
                },
                {
                  "name": "http1ClientConn.RoundTrip"
                },
                {
                  "name": "http2Transport.NewClientConn"
                },
                {
                  "name": "http2Transport.RoundTrip"
                },
                {
                  "name": "http2Transport.RoundTripOpt"
                },
                {
                  "name": "http2clientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "http2unencryptedTransport.RoundTrip"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.25.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.26.3",
                  "status": "affected",
                  "version": "1.26.0-0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marwan Atia (marwansamir688@gmail.com)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T19:41:17.631Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/761581"
            },
            {
              "url": "https://go.dev/cl/761640"
            },
            {
              "url": "https://go.dev/issue/78476"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4918"
            }
          ],
          "title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33814",
        "datePublished": "2026-05-07T19:41:17.631Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-07-02T12:05:19.070Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27141 (GCVE-0-2026-27141)

    Vulnerability from nvd – Published: 2026-02-26 18:50 – Updated: 2026-02-27 19:11
    VLAI
    Title
    Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
    Summary
    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/http2 Affected: 0.50.0 , < 0.51.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T19:11:24.117207Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-476",
                    "description": "CWE-476 NULL Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T19:11:57.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "typeFrameParser"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.ReadFrameForHeader"
                },
                {
                  "name": "Framer.ReadFrameHeader"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePriorityUpdate"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "bufferedWriterTimeoutWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "netHTTPClientConn.Close"
                },
                {
                  "name": "netHTTPClientConn.RoundTrip"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteSchedulerRFC7540.CloseStream"
                },
                {
                  "name": "priorityWriteSchedulerRFC7540.OpenStream"
                },
                {
                  "name": "priorityWriteSchedulerRFC9218.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "unencryptedTransport.RoundTrip"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.51.0",
                  "status": "affected",
                  "version": "0.50.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-26T18:50:31.830Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
            },
            {
              "url": "https://go.dev/cl/746180"
            },
            {
              "url": "https://go.dev/issue/77652"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4559"
            }
          ],
          "title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-27141",
        "datePublished": "2026-02-26T18:50:31.830Z",
        "dateReserved": "2026-02-17T19:57:28.435Z",
        "dateUpdated": "2026-02-27T19:11:57.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-45288 (GCVE-0-2023-45288)

    Vulnerability from nvd – Published: 2024-04-04 20:37 – Updated: 2025-11-04 18:17
    VLAI
    Title
    HTTP/2 CONTINUATION flood in net/http
    Summary
    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.21.9 (semver)
    Affected: 1.22.0-0 , < 1.22.2 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.23.0 (semver)
    Create a notification for this product.
    go_standard_library net\/http Affected: 0 , < 1.21.9 (custom)
    Affected: 1.22.0-0 , < 1.22.2 (custom)
        cpe:2.3:a:go_standard_library:net\/http:*:*:*:*:*:*:*:*
    Create a notification for this product.
    golang http2 Affected: 0 , < 0.23.0 (custom)
        cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Bartek Nowotarski (https://nowotarski.info/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T18:17:43.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/65051"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/576155"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2024-2687"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
              },
              {
                "url": "https://www.kb.cert.org/vuls/id/421644"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "net\\/http",
                "vendor": "go_standard_library",
                "versions": [
                  {
                    "lessThan": "1.21.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "1.22.2",
                    "status": "affected",
                    "version": "1.22.0-0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http2",
                "vendor": "golang",
                "versions": [
                  {
                    "lessThan": "0.23.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45288",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-05T17:08:42.212936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-26T20:40:01.996Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2Framer.readMetaFrame"
                },
                {
                  "name": "CanonicalHeaderKey"
                },
                {
                  "name": "Client.CloseIdleConnections"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "Cookie.String"
                },
                {
                  "name": "Cookie.Valid"
                },
                {
                  "name": "Dir.Open"
                },
                {
                  "name": "Error"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "HandlerFunc.ServeHTTP"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "Header.Add"
                },
                {
                  "name": "Header.Del"
                },
                {
                  "name": "Header.Get"
                },
                {
                  "name": "Header.Set"
                },
                {
                  "name": "Header.Values"
                },
                {
                  "name": "Header.Write"
                },
                {
                  "name": "Header.WriteSubset"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "NewRequest"
                },
                {
                  "name": "NewRequestWithContext"
                },
                {
                  "name": "NotFound"
                },
                {
                  "name": "ParseTime"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "ProxyFromEnvironment"
                },
                {
                  "name": "ReadRequest"
                },
                {
                  "name": "ReadResponse"
                },
                {
                  "name": "Redirect"
                },
                {
                  "name": "Request.AddCookie"
                },
                {
                  "name": "Request.BasicAuth"
                },
                {
                  "name": "Request.FormFile"
                },
                {
                  "name": "Request.FormValue"
                },
                {
                  "name": "Request.MultipartReader"
                },
                {
                  "name": "Request.ParseForm"
                },
                {
                  "name": "Request.ParseMultipartForm"
                },
                {
                  "name": "Request.PostFormValue"
                },
                {
                  "name": "Request.Referer"
                },
                {
                  "name": "Request.SetBasicAuth"
                },
                {
                  "name": "Request.UserAgent"
                },
                {
                  "name": "Request.Write"
                },
                {
                  "name": "Request.WriteProxy"
                },
                {
                  "name": "Response.Cookies"
                },
                {
                  "name": "Response.Location"
                },
                {
                  "name": "Response.Write"
                },
                {
                  "name": "ResponseController.EnableFullDuplex"
                },
                {
                  "name": "ResponseController.Flush"
                },
                {
                  "name": "ResponseController.Hijack"
                },
                {
                  "name": "ResponseController.SetReadDeadline"
                },
                {
                  "name": "ResponseController.SetWriteDeadline"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeContent"
                },
                {
                  "name": "ServeFile"
                },
                {
                  "name": "ServeMux.ServeHTTP"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.Close"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "Server.SetKeepAlivesEnabled"
                },
                {
                  "name": "Server.Shutdown"
                },
                {
                  "name": "SetCookie"
                },
                {
                  "name": "Transport.CancelRequest"
                },
                {
                  "name": "Transport.Clone"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "body.Close"
                },
                {
                  "name": "body.Read"
                },
                {
                  "name": "bodyEOFSignal.Close"
                },
                {
                  "name": "bodyEOFSignal.Read"
                },
                {
                  "name": "bodyLocked.Read"
                },
                {
                  "name": "bufioFlushWriter.Write"
                },
                {
                  "name": "cancelTimerBody.Close"
                },
                {
                  "name": "cancelTimerBody.Read"
                },
                {
                  "name": "checkConnErrorWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "connReader.Read"
                },
                {
                  "name": "connectMethodKey.String"
                },
                {
                  "name": "expectContinueReader.Close"
                },
                {
                  "name": "expectContinueReader.Read"
                },
                {
                  "name": "extraHeader.Write"
                },
                {
                  "name": "fileHandler.ServeHTTP"
                },
                {
                  "name": "fileTransport.RoundTrip"
                },
                {
                  "name": "globalOptionsHandler.ServeHTTP"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "http2ClientConn.Close"
                },
                {
                  "name": "http2ClientConn.Ping"
                },
                {
                  "name": "http2ClientConn.RoundTrip"
                },
                {
                  "name": "http2ClientConn.Shutdown"
                },
                {
                  "name": "http2ConnectionError.Error"
                },
                {
                  "name": "http2ErrCode.String"
                },
                {
                  "name": "http2FrameHeader.String"
                },
                {
                  "name": "http2FrameType.String"
                },
                {
                  "name": "http2FrameWriteRequest.String"
                },
                {
                  "name": "http2Framer.ReadFrame"
                },
                {
                  "name": "http2Framer.WriteContinuation"
                },
                {
                  "name": "http2Framer.WriteData"
                },
                {
                  "name": "http2Framer.WriteDataPadded"
                },
                {
                  "name": "http2Framer.WriteGoAway"
                },
                {
                  "name": "http2Framer.WriteHeaders"
                },
                {
                  "name": "http2Framer.WritePing"
                },
                {
                  "name": "http2Framer.WritePriority"
                },
                {
                  "name": "http2Framer.WritePushPromise"
                },
                {
                  "name": "http2Framer.WriteRSTStream"
                },
                {
                  "name": "http2Framer.WriteRawFrame"
                },
                {
                  "name": "http2Framer.WriteSettings"
                },
                {
                  "name": "http2Framer.WriteSettingsAck"
                },
                {
                  "name": "http2Framer.WriteWindowUpdate"
                },
                {
                  "name": "http2GoAwayError.Error"
                },
                {
                  "name": "http2Server.ServeConn"
                },
                {
                  "name": "http2Setting.String"
                },
                {
                  "name": "http2SettingID.String"
                },
                {
                  "name": "http2SettingsFrame.ForeachSetting"
                },
                {
                  "name": "http2StreamError.Error"
                },
                {
                  "name": "http2Transport.CloseIdleConnections"
                },
                {
                  "name": "http2Transport.NewClientConn"
                },
                {
                  "name": "http2Transport.RoundTrip"
                },
                {
                  "name": "http2Transport.RoundTripOpt"
                },
                {
                  "name": "http2bufferedWriter.Flush"
                },
                {
                  "name": "http2bufferedWriter.Write"
                },
                {
                  "name": "http2chunkWriter.Write"
                },
                {
                  "name": "http2clientConnPool.GetClientConn"
                },
                {
                  "name": "http2connError.Error"
                },
                {
                  "name": "http2dataBuffer.Read"
                },
                {
                  "name": "http2duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "http2gzipReader.Close"
                },
                {
                  "name": "http2gzipReader.Read"
                },
                {
                  "name": "http2headerFieldNameError.Error"
                },
                {
                  "name": "http2headerFieldValueError.Error"
                },
                {
                  "name": "http2noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "http2pipe.Read"
                },
                {
                  "name": "http2priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "http2priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "http2pseudoHeaderError.Error"
                },
                {
                  "name": "http2requestBody.Close"
                },
                {
                  "name": "http2requestBody.Read"
                },
                {
                  "name": "http2responseWriter.Flush"
                },
                {
                  "name": "http2responseWriter.FlushError"
                },
                {
                  "name": "http2responseWriter.Push"
                },
                {
                  "name": "http2responseWriter.SetReadDeadline"
                },
                {
                  "name": "http2responseWriter.SetWriteDeadline"
                },
                {
                  "name": "http2responseWriter.Write"
                },
                {
                  "name": "http2responseWriter.WriteHeader"
                },
                {
                  "name": "http2responseWriter.WriteString"
                },
                {
                  "name": "http2roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "http2serverConn.CloseConn"
                },
                {
                  "name": "http2serverConn.Flush"
                },
                {
                  "name": "http2stickyErrWriter.Write"
                },
                {
                  "name": "http2transportResponseBody.Close"
                },
                {
                  "name": "http2transportResponseBody.Read"
                },
                {
                  "name": "http2writeData.String"
                },
                {
                  "name": "initALPNRequest.ServeHTTP"
                },
                {
                  "name": "loggingConn.Close"
                },
                {
                  "name": "loggingConn.Read"
                },
                {
                  "name": "loggingConn.Write"
                },
                {
                  "name": "maxBytesReader.Close"
                },
                {
                  "name": "maxBytesReader.Read"
                },
                {
                  "name": "onceCloseListener.Close"
                },
                {
                  "name": "persistConn.Read"
                },
                {
                  "name": "persistConnWriter.ReadFrom"
                },
                {
                  "name": "persistConnWriter.Write"
                },
                {
                  "name": "populateResponse.Write"
                },
                {
                  "name": "populateResponse.WriteHeader"
                },
                {
                  "name": "readTrackingBody.Close"
                },
                {
                  "name": "readTrackingBody.Read"
                },
                {
                  "name": "readWriteCloserBody.Read"
                },
                {
                  "name": "redirectHandler.ServeHTTP"
                },
                {
                  "name": "response.Flush"
                },
                {
                  "name": "response.FlushError"
                },
                {
                  "name": "response.Hijack"
                },
                {
                  "name": "response.ReadFrom"
                },
                {
                  "name": "response.Write"
                },
                {
                  "name": "response.WriteHeader"
                },
                {
                  "name": "response.WriteString"
                },
                {
                  "name": "serverHandler.ServeHTTP"
                },
                {
                  "name": "socksDialer.DialWithConn"
                },
                {
                  "name": "socksUsernamePassword.Authenticate"
                },
                {
                  "name": "stringWriter.WriteString"
                },
                {
                  "name": "timeoutHandler.ServeHTTP"
                },
                {
                  "name": "timeoutWriter.Write"
                },
                {
                  "name": "timeoutWriter.WriteHeader"
                },
                {
                  "name": "transportReadFromServerError.Error"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.21.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.22.2",
                  "status": "affected",
                  "version": "1.22.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "Framer.readMetaFrame"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Bartek Nowotarski (https://nowotarski.info/)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T17:10:07.754Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/65051"
            },
            {
              "url": "https://go.dev/cl/576155"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2024-2687"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
            }
          ],
          "title": "HTTP/2 CONTINUATION flood in net/http"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-45288",
        "datePublished": "2024-04-04T20:37:30.714Z",
        "dateReserved": "2023-10-06T17:06:26.221Z",
        "dateUpdated": "2025-11-04T18:17:43.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-39325 (GCVE-0-2023-39325)

    Vulnerability from nvd – Published: 2023-10-11 21:15 – Updated: 2025-02-13 17:02
    VLAI
    Title
    HTTP/2 rapid reset can cause excessive work in net/http
    Summary
    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    References
    URL Tags
    https://go.dev/issue/63417
    https://go.dev/cl/534215
    https://go.dev/cl/534235
    https://groups.google.com/g/golang-announce/c/iNN…
    https://pkg.go.dev/vuln/GO-2023-2102
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://security.netapp.com/advisory/ntap-2023111…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://security.gentoo.org/glsa/202311-09
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.20.10 (semver)
    Affected: 1.21.0-0 , < 1.21.3 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.17.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:02:06.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/534215"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/534235"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-2102"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2serverConn.serve"
                },
                {
                  "name": "http2serverConn.processHeaders"
                },
                {
                  "name": "http2serverConn.upgradeRequest"
                },
                {
                  "name": "http2serverConn.runHandler"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "http2Server.ServeConn"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.20.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.21.3",
                  "status": "affected",
                  "version": "1.21.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "serverConn.serve"
                },
                {
                  "name": "serverConn.processHeaders"
                },
                {
                  "name": "serverConn.upgradeRequest"
                },
                {
                  "name": "serverConn.runHandler"
                },
                {
                  "name": "Server.ServeConn"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-28T04:05:57.980Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/63417"
            },
            {
              "url": "https://go.dev/cl/534215"
            },
            {
              "url": "https://go.dev/cl/534235"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-2102"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
            }
          ],
          "title": "HTTP/2 rapid reset can cause excessive work in net/http"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-39325",
        "datePublished": "2023-10-11T21:15:02.727Z",
        "dateReserved": "2023-07-27T17:05:55.188Z",
        "dateUpdated": "2025-02-13T17:02:50.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-41723 (GCVE-0-2022-41723)

    Vulnerability from nvd – Published: 2023-02-28 17:19 – Updated: 2025-05-05 16:12
    VLAI
    Title
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
    Summary
    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE 400: Uncontrolled Resource Consumption
    • NVD-CWE-Other
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.19.6 (semver)
    Affected: 1.20.0-0 , < 1.20.1 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.7.0 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2/hpack Affected: 0 , < 0.7.0 (semver)
    Create a notification for this product.
    Credits
    Philippe Antoine (Catena cyber)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.617Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20230331-0010/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/57855"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/468135"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/468295"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-1571"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.couchbase.com/alerts/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41723",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:26:37.352634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "NVD-CWE-Other",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T16:12:28.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.ServeTLS"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.19.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.1",
                  "status": "affected",
                  "version": "1.20.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2/hpack",
              "product": "golang.org/x/net/http2/hpack",
              "programRoutines": [
                {
                  "name": "Decoder.parseFieldLiteral"
                },
                {
                  "name": "Decoder.readString"
                },
                {
                  "name": "Decoder.DecodeFull"
                },
                {
                  "name": "Decoder.Write"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Philippe Antoine (Catena cyber)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-25T11:09:48.448Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/57855"
            },
            {
              "url": "https://go.dev/cl/468135"
            },
            {
              "url": "https://go.dev/cl/468295"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-1571"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
            },
            {
              "url": "https://www.couchbase.com/alerts/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            }
          ],
          "title": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-41723",
        "datePublished": "2023-02-28T17:19:45.801Z",
        "dateReserved": "2022-09-28T17:00:06.610Z",
        "dateUpdated": "2025-05-05T16:12:28.159Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-41717 (GCVE-0-2022-41717)

    Vulnerability from nvd – Published: 2022-12-08 19:03 – Updated: 2025-02-13 16:33
    VLAI
    Title
    Excessive memory growth in net/http and golang.org/x/net/http2
    Summary
    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
    Severity
    No CVSS data available.
    CWE
    • CWE 400: Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.18.9 (semver)
    Affected: 1.19.0-0 , < 1.19.4 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.4.0 (semver)
    Create a notification for this product.
    Credits
    Josselin Costanzi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20230120-0008/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/56350"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/455717"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/455635"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2022-1144"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2serverConn.canonicalHeader"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "http2Server.ServeConn"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.18.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.4",
                  "status": "affected",
                  "version": "1.19.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "serverConn.canonicalHeader"
                },
                {
                  "name": "Server.ServeConn"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Josselin Costanzi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-18T02:06:25.182Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/56350"
            },
            {
              "url": "https://go.dev/cl/455717"
            },
            {
              "url": "https://go.dev/cl/455635"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2022-1144"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
            }
          ],
          "title": "Excessive memory growth in net/http and golang.org/x/net/http2"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-41717",
        "datePublished": "2022-12-08T19:03:53.161Z",
        "dateReserved": "2022-09-28T17:00:06.608Z",
        "dateUpdated": "2025-02-13T16:33:08.284Z",
        "requesterUserId": "7d08541a-cd0a-42e2-8f81-76e6ceb65fc3",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-33814 (GCVE-0-2026-33814)

    Vulnerability from cvelistv5 – Published: 2026-05-07 19:41 – Updated: 2026-07-02 12:05
    VLAI
    Title
    Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net
    Summary
    When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    • CWE-606 - Unchecked Input for Loop Condition
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.53.0 (semver)
    Create a notification for this product.
    Go standard library net/http Affected: 0 , < 1.25.10 (semver)
    Affected: 1.26.0-0 , < 1.26.3 (semver)
    Create a notification for this product.
    Red Hat Cluster Observability Operator 1.5.0     cpe:/a:redhat:cluster_observability_operator:1.5::el9
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.0     cpe:/a:redhat:service_mesh:3.0::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.1     cpe:/a:redhat:service_mesh:3.1::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.2     cpe:/a:redhat:service_mesh:3.2::el9
    Create a notification for this product.
    Red Hat Red Hat OpenShift Service Mesh 3.3     cpe:/a:redhat:service_mesh:3.3::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
    Create a notification for this product.
    Red Hat Red Hat OpenShift Container Platform 4     cpe:/a:redhat:openshift:4
    Create a notification for this product.
    Red Hat Red Hat OpenShift Virtualization 4     cpe:/a:redhat:container_native_virtualization:4
    Create a notification for this product.
    Red Hat OpenShift Service Mesh 2     cpe:/a:redhat:service_mesh:2
    Create a notification for this product.
    Credits
    Marwan Atia (marwansamir688@gmail.com)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33814",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-08T18:00:53.951676Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-08T18:01:02.989Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:cluster_observability_operator:1.5::el9"
                ],
                "defaultStatus": "affected",
                "product": "Cluster Observability Operator 1.5.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.0::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.0",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.1::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.1",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.2::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:3.3::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Service Mesh 3.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux_ai:3"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openshift:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Container Platform 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:container_native_virtualization:4"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenShift Virtualization 4",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:service_mesh:2"
                ],
                "defaultStatus": "unaffected",
                "product": "OpenShift Service Mesh 2",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-05-07T19:41:17.631Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-606",
                    "description": "Unchecked Input for Loop Condition",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:05:19.070Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-33814"
              },
              {
                "name": "RHBZ#2467815",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467815"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:34342"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23262"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:23264"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33120"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33123"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33142"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:33150"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:34342: Cluster Observability Operator 1.5.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23262: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:23264: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33120: Red Hat OpenShift Service Mesh 3.0"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33123: Red Hat OpenShift Service Mesh 3.1"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33142: Red Hat OpenShift Service Mesh 3.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:33150: Red Hat OpenShift Service Mesh 3.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-05-07T20:01:11.324Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-05-07T19:41:17.631Z",
                "value": "Made public."
              }
            ],
            "title": "net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame",
            "workarounds": [
              {
                "lang": "en",
                "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
              }
            ],
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "clientConnReadLoop.processSettingsNoWrite"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "unencryptedTransport.RoundTrip"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.53.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2clientConnReadLoop.processSettingsNoWrite"
                },
                {
                  "name": "Client.CloseIdleConnections"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "http1ClientConn.Close"
                },
                {
                  "name": "http1ClientConn.RoundTrip"
                },
                {
                  "name": "http2Transport.NewClientConn"
                },
                {
                  "name": "http2Transport.RoundTrip"
                },
                {
                  "name": "http2Transport.RoundTripOpt"
                },
                {
                  "name": "http2clientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "http2unencryptedTransport.RoundTrip"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.25.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.26.3",
                  "status": "affected",
                  "version": "1.26.0-0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marwan Atia (marwansamir688@gmail.com)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-835: Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-07T19:41:17.631Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/cl/761581"
            },
            {
              "url": "https://go.dev/cl/761640"
            },
            {
              "url": "https://go.dev/issue/78476"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/qcCIEXso47M"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4918"
            }
          ],
          "title": "Infinite loop in HTTP/2 transport when given bad SETTINGS_MAX_FRAME_SIZE in net/http/internal/http2 in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-33814",
        "datePublished": "2026-05-07T19:41:17.631Z",
        "dateReserved": "2026-03-23T20:35:32.814Z",
        "dateUpdated": "2026-07-02T12:05:19.070Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-27141 (GCVE-0-2026-27141)

    Vulnerability from cvelistv5 – Published: 2026-02-26 18:50 – Updated: 2026-02-27 19:11
    VLAI
    Title
    Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
    Summary
    Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-476 - NULL Pointer Dereference
    Assigner
    Go
    Impacted products
    Vendor Product Version
    golang.org/x/net golang.org/x/net/http2 Affected: 0.50.0 , < 0.51.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-27141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-27T19:11:24.117207Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-476",
                    "description": "CWE-476 NULL Pointer Dereference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-27T19:11:57.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "typeFrameParser"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.ReadFrameForHeader"
                },
                {
                  "name": "Framer.ReadFrameHeader"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePriorityUpdate"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "bufferedWriterTimeoutWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "netHTTPClientConn.Close"
                },
                {
                  "name": "netHTTPClientConn.RoundTrip"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.NewClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteSchedulerRFC7540.CloseStream"
                },
                {
                  "name": "priorityWriteSchedulerRFC7540.OpenStream"
                },
                {
                  "name": "priorityWriteSchedulerRFC9218.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "unencryptedTransport.RoundTrip"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.51.0",
                  "status": "affected",
                  "version": "0.50.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-476: NULL Pointer Dereference",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-26T18:50:31.830Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"
            },
            {
              "url": "https://go.dev/cl/746180"
            },
            {
              "url": "https://go.dev/issue/77652"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2026-4559"
            }
          ],
          "title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2026-27141",
        "datePublished": "2026-02-26T18:50:31.830Z",
        "dateReserved": "2026-02-17T19:57:28.435Z",
        "dateUpdated": "2026-02-27T19:11:57.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-45288 (GCVE-0-2023-45288)

    Vulnerability from cvelistv5 – Published: 2024-04-04 20:37 – Updated: 2025-11-04 18:17
    VLAI
    Title
    HTTP/2 CONTINUATION flood in net/http
    Summary
    An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.21.9 (semver)
    Affected: 1.22.0-0 , < 1.22.2 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.23.0 (semver)
    Create a notification for this product.
    go_standard_library net\/http Affected: 0 , < 1.21.9 (custom)
    Affected: 1.22.0-0 , < 1.22.2 (custom)
        cpe:2.3:a:go_standard_library:net\/http:*:*:*:*:*:*:*:*
    Create a notification for this product.
    golang http2 Affected: 0 , < 0.23.0 (custom)
        cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Bartek Nowotarski (https://nowotarski.info/)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-04T18:17:43.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/65051"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/576155"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2024-2687"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
              },
              {
                "url": "https://www.kb.cert.org/vuls/id/421644"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:go_standard_library:net\\/http:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "net\\/http",
                "vendor": "go_standard_library",
                "versions": [
                  {
                    "lessThan": "1.21.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  },
                  {
                    "lessThan": "1.22.2",
                    "status": "affected",
                    "version": "1.22.0-0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:golang:http2:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "http2",
                "vendor": "golang",
                "versions": [
                  {
                    "lessThan": "0.23.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45288",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-05T17:08:42.212936Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-26T20:40:01.996Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2Framer.readMetaFrame"
                },
                {
                  "name": "CanonicalHeaderKey"
                },
                {
                  "name": "Client.CloseIdleConnections"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "Cookie.String"
                },
                {
                  "name": "Cookie.Valid"
                },
                {
                  "name": "Dir.Open"
                },
                {
                  "name": "Error"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "HandlerFunc.ServeHTTP"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "Header.Add"
                },
                {
                  "name": "Header.Del"
                },
                {
                  "name": "Header.Get"
                },
                {
                  "name": "Header.Set"
                },
                {
                  "name": "Header.Values"
                },
                {
                  "name": "Header.Write"
                },
                {
                  "name": "Header.WriteSubset"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "NewRequest"
                },
                {
                  "name": "NewRequestWithContext"
                },
                {
                  "name": "NotFound"
                },
                {
                  "name": "ParseTime"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "ProxyFromEnvironment"
                },
                {
                  "name": "ReadRequest"
                },
                {
                  "name": "ReadResponse"
                },
                {
                  "name": "Redirect"
                },
                {
                  "name": "Request.AddCookie"
                },
                {
                  "name": "Request.BasicAuth"
                },
                {
                  "name": "Request.FormFile"
                },
                {
                  "name": "Request.FormValue"
                },
                {
                  "name": "Request.MultipartReader"
                },
                {
                  "name": "Request.ParseForm"
                },
                {
                  "name": "Request.ParseMultipartForm"
                },
                {
                  "name": "Request.PostFormValue"
                },
                {
                  "name": "Request.Referer"
                },
                {
                  "name": "Request.SetBasicAuth"
                },
                {
                  "name": "Request.UserAgent"
                },
                {
                  "name": "Request.Write"
                },
                {
                  "name": "Request.WriteProxy"
                },
                {
                  "name": "Response.Cookies"
                },
                {
                  "name": "Response.Location"
                },
                {
                  "name": "Response.Write"
                },
                {
                  "name": "ResponseController.EnableFullDuplex"
                },
                {
                  "name": "ResponseController.Flush"
                },
                {
                  "name": "ResponseController.Hijack"
                },
                {
                  "name": "ResponseController.SetReadDeadline"
                },
                {
                  "name": "ResponseController.SetWriteDeadline"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeContent"
                },
                {
                  "name": "ServeFile"
                },
                {
                  "name": "ServeMux.ServeHTTP"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.Close"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "Server.SetKeepAlivesEnabled"
                },
                {
                  "name": "Server.Shutdown"
                },
                {
                  "name": "SetCookie"
                },
                {
                  "name": "Transport.CancelRequest"
                },
                {
                  "name": "Transport.Clone"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "body.Close"
                },
                {
                  "name": "body.Read"
                },
                {
                  "name": "bodyEOFSignal.Close"
                },
                {
                  "name": "bodyEOFSignal.Read"
                },
                {
                  "name": "bodyLocked.Read"
                },
                {
                  "name": "bufioFlushWriter.Write"
                },
                {
                  "name": "cancelTimerBody.Close"
                },
                {
                  "name": "cancelTimerBody.Read"
                },
                {
                  "name": "checkConnErrorWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "connReader.Read"
                },
                {
                  "name": "connectMethodKey.String"
                },
                {
                  "name": "expectContinueReader.Close"
                },
                {
                  "name": "expectContinueReader.Read"
                },
                {
                  "name": "extraHeader.Write"
                },
                {
                  "name": "fileHandler.ServeHTTP"
                },
                {
                  "name": "fileTransport.RoundTrip"
                },
                {
                  "name": "globalOptionsHandler.ServeHTTP"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "http2ClientConn.Close"
                },
                {
                  "name": "http2ClientConn.Ping"
                },
                {
                  "name": "http2ClientConn.RoundTrip"
                },
                {
                  "name": "http2ClientConn.Shutdown"
                },
                {
                  "name": "http2ConnectionError.Error"
                },
                {
                  "name": "http2ErrCode.String"
                },
                {
                  "name": "http2FrameHeader.String"
                },
                {
                  "name": "http2FrameType.String"
                },
                {
                  "name": "http2FrameWriteRequest.String"
                },
                {
                  "name": "http2Framer.ReadFrame"
                },
                {
                  "name": "http2Framer.WriteContinuation"
                },
                {
                  "name": "http2Framer.WriteData"
                },
                {
                  "name": "http2Framer.WriteDataPadded"
                },
                {
                  "name": "http2Framer.WriteGoAway"
                },
                {
                  "name": "http2Framer.WriteHeaders"
                },
                {
                  "name": "http2Framer.WritePing"
                },
                {
                  "name": "http2Framer.WritePriority"
                },
                {
                  "name": "http2Framer.WritePushPromise"
                },
                {
                  "name": "http2Framer.WriteRSTStream"
                },
                {
                  "name": "http2Framer.WriteRawFrame"
                },
                {
                  "name": "http2Framer.WriteSettings"
                },
                {
                  "name": "http2Framer.WriteSettingsAck"
                },
                {
                  "name": "http2Framer.WriteWindowUpdate"
                },
                {
                  "name": "http2GoAwayError.Error"
                },
                {
                  "name": "http2Server.ServeConn"
                },
                {
                  "name": "http2Setting.String"
                },
                {
                  "name": "http2SettingID.String"
                },
                {
                  "name": "http2SettingsFrame.ForeachSetting"
                },
                {
                  "name": "http2StreamError.Error"
                },
                {
                  "name": "http2Transport.CloseIdleConnections"
                },
                {
                  "name": "http2Transport.NewClientConn"
                },
                {
                  "name": "http2Transport.RoundTrip"
                },
                {
                  "name": "http2Transport.RoundTripOpt"
                },
                {
                  "name": "http2bufferedWriter.Flush"
                },
                {
                  "name": "http2bufferedWriter.Write"
                },
                {
                  "name": "http2chunkWriter.Write"
                },
                {
                  "name": "http2clientConnPool.GetClientConn"
                },
                {
                  "name": "http2connError.Error"
                },
                {
                  "name": "http2dataBuffer.Read"
                },
                {
                  "name": "http2duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "http2gzipReader.Close"
                },
                {
                  "name": "http2gzipReader.Read"
                },
                {
                  "name": "http2headerFieldNameError.Error"
                },
                {
                  "name": "http2headerFieldValueError.Error"
                },
                {
                  "name": "http2noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "http2noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "http2pipe.Read"
                },
                {
                  "name": "http2priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "http2priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "http2pseudoHeaderError.Error"
                },
                {
                  "name": "http2requestBody.Close"
                },
                {
                  "name": "http2requestBody.Read"
                },
                {
                  "name": "http2responseWriter.Flush"
                },
                {
                  "name": "http2responseWriter.FlushError"
                },
                {
                  "name": "http2responseWriter.Push"
                },
                {
                  "name": "http2responseWriter.SetReadDeadline"
                },
                {
                  "name": "http2responseWriter.SetWriteDeadline"
                },
                {
                  "name": "http2responseWriter.Write"
                },
                {
                  "name": "http2responseWriter.WriteHeader"
                },
                {
                  "name": "http2responseWriter.WriteString"
                },
                {
                  "name": "http2roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "http2serverConn.CloseConn"
                },
                {
                  "name": "http2serverConn.Flush"
                },
                {
                  "name": "http2stickyErrWriter.Write"
                },
                {
                  "name": "http2transportResponseBody.Close"
                },
                {
                  "name": "http2transportResponseBody.Read"
                },
                {
                  "name": "http2writeData.String"
                },
                {
                  "name": "initALPNRequest.ServeHTTP"
                },
                {
                  "name": "loggingConn.Close"
                },
                {
                  "name": "loggingConn.Read"
                },
                {
                  "name": "loggingConn.Write"
                },
                {
                  "name": "maxBytesReader.Close"
                },
                {
                  "name": "maxBytesReader.Read"
                },
                {
                  "name": "onceCloseListener.Close"
                },
                {
                  "name": "persistConn.Read"
                },
                {
                  "name": "persistConnWriter.ReadFrom"
                },
                {
                  "name": "persistConnWriter.Write"
                },
                {
                  "name": "populateResponse.Write"
                },
                {
                  "name": "populateResponse.WriteHeader"
                },
                {
                  "name": "readTrackingBody.Close"
                },
                {
                  "name": "readTrackingBody.Read"
                },
                {
                  "name": "readWriteCloserBody.Read"
                },
                {
                  "name": "redirectHandler.ServeHTTP"
                },
                {
                  "name": "response.Flush"
                },
                {
                  "name": "response.FlushError"
                },
                {
                  "name": "response.Hijack"
                },
                {
                  "name": "response.ReadFrom"
                },
                {
                  "name": "response.Write"
                },
                {
                  "name": "response.WriteHeader"
                },
                {
                  "name": "response.WriteString"
                },
                {
                  "name": "serverHandler.ServeHTTP"
                },
                {
                  "name": "socksDialer.DialWithConn"
                },
                {
                  "name": "socksUsernamePassword.Authenticate"
                },
                {
                  "name": "stringWriter.WriteString"
                },
                {
                  "name": "timeoutHandler.ServeHTTP"
                },
                {
                  "name": "timeoutWriter.Write"
                },
                {
                  "name": "timeoutWriter.WriteHeader"
                },
                {
                  "name": "transportReadFromServerError.Error"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.21.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.22.2",
                  "status": "affected",
                  "version": "1.22.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "Framer.readMetaFrame"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "roundRobinWriteScheduler.OpenStream"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Bartek Nowotarski (https://nowotarski.info/)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request\u0027s headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-05-01T17:10:07.754Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/65051"
            },
            {
              "url": "https://go.dev/cl/576155"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2024-2687"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20240419-0009/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT/"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/04/05/4"
            },
            {
              "url": "http://www.openwall.com/lists/oss-security/2024/04/03/16"
            }
          ],
          "title": "HTTP/2 CONTINUATION flood in net/http"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-45288",
        "datePublished": "2024-04-04T20:37:30.714Z",
        "dateReserved": "2023-10-06T17:06:26.221Z",
        "dateUpdated": "2025-11-04T18:17:43.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-39325 (GCVE-0-2023-39325)

    Vulnerability from cvelistv5 – Published: 2023-10-11 21:15 – Updated: 2025-02-13 17:02
    VLAI
    Title
    HTTP/2 rapid reset can cause excessive work in net/http
    Summary
    A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
    Severity
    No CVSS data available.
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Go
    References
    URL Tags
    https://go.dev/issue/63417
    https://go.dev/cl/534215
    https://go.dev/cl/534235
    https://groups.google.com/g/golang-announce/c/iNN…
    https://pkg.go.dev/vuln/GO-2023-2102
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://security.netapp.com/advisory/ntap-2023111…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://security.gentoo.org/glsa/202311-09
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    https://lists.fedoraproject.org/archives/list/pac…
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.20.10 (semver)
    Affected: 1.21.0-0 , < 1.21.3 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.17.0 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:02:06.746Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/63417"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/534215"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/534235"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-2102"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2serverConn.serve"
                },
                {
                  "name": "http2serverConn.processHeaders"
                },
                {
                  "name": "http2serverConn.upgradeRequest"
                },
                {
                  "name": "http2serverConn.runHandler"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "http2Server.ServeConn"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.20.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.21.3",
                  "status": "affected",
                  "version": "1.21.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "serverConn.serve"
                },
                {
                  "name": "serverConn.processHeaders"
                },
                {
                  "name": "serverConn.upgradeRequest"
                },
                {
                  "name": "serverConn.runHandler"
                },
                {
                  "name": "Server.ServeConn"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-28T04:05:57.980Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/63417"
            },
            {
              "url": "https://go.dev/cl/534215"
            },
            {
              "url": "https://go.dev/cl/534235"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-2102"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
            },
            {
              "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
            }
          ],
          "title": "HTTP/2 rapid reset can cause excessive work in net/http"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2023-39325",
        "datePublished": "2023-10-11T21:15:02.727Z",
        "dateReserved": "2023-07-27T17:05:55.188Z",
        "dateUpdated": "2025-02-13T17:02:50.341Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-41723 (GCVE-0-2022-41723)

    Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-05-05 16:12
    VLAI
    Title
    Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net
    Summary
    A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE 400: Uncontrolled Resource Consumption
    • NVD-CWE-Other
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.19.6 (semver)
    Affected: 1.20.0-0 , < 1.20.1 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.7.0 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2/hpack Affected: 0 , < 0.7.0 (semver)
    Create a notification for this product.
    Credits
    Philippe Antoine (Catena cyber)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.617Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20230331-0010/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/57855"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/468135"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/468295"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2023-1571"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.couchbase.com/alerts/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-41723",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T13:26:37.352634Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "NVD-CWE-Other",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-05T16:12:28.159Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Client.Do"
                },
                {
                  "name": "Client.Get"
                },
                {
                  "name": "Client.Head"
                },
                {
                  "name": "Client.Post"
                },
                {
                  "name": "Client.PostForm"
                },
                {
                  "name": "Get"
                },
                {
                  "name": "Head"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Post"
                },
                {
                  "name": "PostForm"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.ServeTLS"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.19.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.20.1",
                  "status": "affected",
                  "version": "1.20.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "Transport.RoundTrip"
                },
                {
                  "name": "Server.ServeConn"
                },
                {
                  "name": "ClientConn.Close"
                },
                {
                  "name": "ClientConn.Ping"
                },
                {
                  "name": "ClientConn.RoundTrip"
                },
                {
                  "name": "ClientConn.Shutdown"
                },
                {
                  "name": "ConfigureServer"
                },
                {
                  "name": "ConfigureTransport"
                },
                {
                  "name": "ConfigureTransports"
                },
                {
                  "name": "ConnectionError.Error"
                },
                {
                  "name": "ErrCode.String"
                },
                {
                  "name": "FrameHeader.String"
                },
                {
                  "name": "FrameType.String"
                },
                {
                  "name": "FrameWriteRequest.String"
                },
                {
                  "name": "Framer.ReadFrame"
                },
                {
                  "name": "Framer.WriteContinuation"
                },
                {
                  "name": "Framer.WriteData"
                },
                {
                  "name": "Framer.WriteDataPadded"
                },
                {
                  "name": "Framer.WriteGoAway"
                },
                {
                  "name": "Framer.WriteHeaders"
                },
                {
                  "name": "Framer.WritePing"
                },
                {
                  "name": "Framer.WritePriority"
                },
                {
                  "name": "Framer.WritePushPromise"
                },
                {
                  "name": "Framer.WriteRSTStream"
                },
                {
                  "name": "Framer.WriteRawFrame"
                },
                {
                  "name": "Framer.WriteSettings"
                },
                {
                  "name": "Framer.WriteSettingsAck"
                },
                {
                  "name": "Framer.WriteWindowUpdate"
                },
                {
                  "name": "GoAwayError.Error"
                },
                {
                  "name": "ReadFrameHeader"
                },
                {
                  "name": "Setting.String"
                },
                {
                  "name": "SettingID.String"
                },
                {
                  "name": "SettingsFrame.ForeachSetting"
                },
                {
                  "name": "StreamError.Error"
                },
                {
                  "name": "Transport.CloseIdleConnections"
                },
                {
                  "name": "Transport.NewClientConn"
                },
                {
                  "name": "Transport.RoundTripOpt"
                },
                {
                  "name": "bufferedWriter.Flush"
                },
                {
                  "name": "bufferedWriter.Write"
                },
                {
                  "name": "chunkWriter.Write"
                },
                {
                  "name": "clientConnPool.GetClientConn"
                },
                {
                  "name": "connError.Error"
                },
                {
                  "name": "dataBuffer.Read"
                },
                {
                  "name": "duplicatePseudoHeaderError.Error"
                },
                {
                  "name": "gzipReader.Close"
                },
                {
                  "name": "gzipReader.Read"
                },
                {
                  "name": "headerFieldNameError.Error"
                },
                {
                  "name": "headerFieldValueError.Error"
                },
                {
                  "name": "noDialClientConnPool.GetClientConn"
                },
                {
                  "name": "noDialH2RoundTripper.RoundTrip"
                },
                {
                  "name": "pipe.Read"
                },
                {
                  "name": "priorityWriteScheduler.CloseStream"
                },
                {
                  "name": "priorityWriteScheduler.OpenStream"
                },
                {
                  "name": "pseudoHeaderError.Error"
                },
                {
                  "name": "requestBody.Close"
                },
                {
                  "name": "requestBody.Read"
                },
                {
                  "name": "responseWriter.Flush"
                },
                {
                  "name": "responseWriter.FlushError"
                },
                {
                  "name": "responseWriter.Push"
                },
                {
                  "name": "responseWriter.SetReadDeadline"
                },
                {
                  "name": "responseWriter.SetWriteDeadline"
                },
                {
                  "name": "responseWriter.Write"
                },
                {
                  "name": "responseWriter.WriteHeader"
                },
                {
                  "name": "responseWriter.WriteString"
                },
                {
                  "name": "serverConn.CloseConn"
                },
                {
                  "name": "serverConn.Flush"
                },
                {
                  "name": "stickyErrWriter.Write"
                },
                {
                  "name": "transportResponseBody.Close"
                },
                {
                  "name": "transportResponseBody.Read"
                },
                {
                  "name": "writeData.String"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2/hpack",
              "product": "golang.org/x/net/http2/hpack",
              "programRoutines": [
                {
                  "name": "Decoder.parseFieldLiteral"
                },
                {
                  "name": "Decoder.readString"
                },
                {
                  "name": "Decoder.DecodeFull"
                },
                {
                  "name": "Decoder.Write"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.7.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Philippe Antoine (Catena cyber)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-25T11:09:48.448Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/57855"
            },
            {
              "url": "https://go.dev/cl/468135"
            },
            {
              "url": "https://go.dev/cl/468295"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2023-1571"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLBQ3A7ROLEQXQLXFDLNJ7MYPKG5GULE/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE/"
            },
            {
              "url": "https://www.couchbase.com/alerts/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            }
          ],
          "title": "Denial of service via crafted HTTP/2 stream in net/http and golang.org/x/net"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-41723",
        "datePublished": "2023-02-28T17:19:45.801Z",
        "dateReserved": "2022-09-28T17:00:06.610Z",
        "dateUpdated": "2025-05-05T16:12:28.159Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-41717 (GCVE-0-2022-41717)

    Vulnerability from cvelistv5 – Published: 2022-12-08 19:03 – Updated: 2025-02-13 16:33
    VLAI
    Title
    Excessive memory growth in net/http and golang.org/x/net/http2
    Summary
    An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.
    Severity
    No CVSS data available.
    CWE
    • CWE 400: Uncontrolled Resource Consumption
    Assigner
    Go
    Impacted products
    Vendor Product Version
    Go standard library net/http Affected: 0 , < 1.18.9 (semver)
    Affected: 1.19.0-0 , < 1.19.4 (semver)
    Create a notification for this product.
    golang.org/x/net golang.org/x/net/http2 Affected: 0 , < 0.4.0 (semver)
    Create a notification for this product.
    Credits
    Josselin Costanzi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T12:49:43.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://security.netapp.com/advisory/ntap-20230120-0008/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/issue/56350"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/455717"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://go.dev/cl/455635"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://pkg.go.dev/vuln/GO-2022-1144"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://security.gentoo.org/glsa/202311-09"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "net/http",
              "product": "net/http",
              "programRoutines": [
                {
                  "name": "http2serverConn.canonicalHeader"
                },
                {
                  "name": "ListenAndServe"
                },
                {
                  "name": "ListenAndServeTLS"
                },
                {
                  "name": "Serve"
                },
                {
                  "name": "ServeTLS"
                },
                {
                  "name": "Server.ListenAndServe"
                },
                {
                  "name": "Server.ListenAndServeTLS"
                },
                {
                  "name": "Server.Serve"
                },
                {
                  "name": "Server.ServeTLS"
                },
                {
                  "name": "http2Server.ServeConn"
                }
              ],
              "vendor": "Go standard library",
              "versions": [
                {
                  "lessThan": "1.18.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "1.19.4",
                  "status": "affected",
                  "version": "1.19.0-0",
                  "versionType": "semver"
                }
              ]
            },
            {
              "collectionURL": "https://pkg.go.dev",
              "defaultStatus": "unaffected",
              "packageName": "golang.org/x/net/http2",
              "product": "golang.org/x/net/http2",
              "programRoutines": [
                {
                  "name": "serverConn.canonicalHeader"
                },
                {
                  "name": "Server.ServeConn"
                }
              ],
              "vendor": "golang.org/x/net",
              "versions": [
                {
                  "lessThan": "0.4.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Josselin Costanzi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE 400: Uncontrolled Resource Consumption",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-18T02:06:25.182Z",
            "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
            "shortName": "Go"
          },
          "references": [
            {
              "url": "https://go.dev/issue/56350"
            },
            {
              "url": "https://go.dev/cl/455717"
            },
            {
              "url": "https://go.dev/cl/455635"
            },
            {
              "url": "https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ"
            },
            {
              "url": "https://pkg.go.dev/vuln/GO-2022-1144"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBKBAZBIOXZV5QCFHZNSVXULR32XJCYD/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NQGNAXK3YBPMUP3J4TECIRDHFGW37522/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PUM4DIVOLJCBK5ZDP4LJOL24GXT3YSIR/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4SBIUECMLNC572P23DDOKJNKPJVX26SP/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PW3XC47AUW5J5M2ULJX7WCCL3B2ETLMT/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q52IQI754YAE4XPR4QBRWPIVZWYGZ4FS/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/56B2FFESRYYP6IY2AZ3UWXLWKZ5IYZN4/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANIOPUXWIHVRA6CEWXCGOMX3YYS6KFHG/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WPEIZ7AMEJCZXU3FEJZMVRNHQZXX5P3I/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
            },
            {
              "url": "https://security.gentoo.org/glsa/202311-09"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CSVIS6MTMFVBA7JPMRAUNKUOYEVSJYSB/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
            },
            {
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
            }
          ],
          "title": "Excessive memory growth in net/http and golang.org/x/net/http2"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "assignerShortName": "Go",
        "cveId": "CVE-2022-41717",
        "datePublished": "2022-12-08T19:03:53.161Z",
        "dateReserved": "2022-09-28T17:00:06.608Z",
        "dateUpdated": "2025-02-13T16:33:08.284Z",
        "requesterUserId": "7d08541a-cd0a-42e2-8f81-76e6ceb65fc3",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }