CVE-2021-33194
published 2021-05-26CVE-2021-33194: golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
7.49%
93.7th percentile
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-golang-x-net | < golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4 (bookworm) | golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4 (bookworm) |
| fedoraproject | fedora | — | — |
| golang.org | x_net | >= 0 < 0.0.0-20210520170846-37e1c6afe023 | 0.0.0-20210520170846-37e1c6afe023 |
| golang | go | <= 1.15.12 | — |
| golang | go | 1.16.0 – 1.16.4 | — |
| msrc | cm1_golang_1.15.13-1_on_cbl_mariner_1.0 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
golang.org/x/net/html Infinite Loop vulnerability
ghsa·2022-05-24
CVE-2021-33194 [HIGH] CWE-835 golang.org/x/net/html Infinite Loop vulnerability
golang.org/x/net/html Infinite Loop vulnerability
Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.
OSV
golang.org/x/net/html Infinite Loop vulnerability
osv·2022-05-24
CVE-2021-33194 [HIGH] golang.org/x/net/html Infinite Loop vulnerability
golang.org/x/net/html Infinite Loop vulnerability
Go through 1.15.12 and 1.16.x through 1.16.4 has a golang.org/x/net/html infinite loop via crafted ParseFragment input.
OSV
Infinite loop when parsing inputs in golang.org/x/net/html
osv·2022-02-17
CVE-2021-33194 Infinite loop when parsing inputs in golang.org/x/net/html
Infinite loop when parsing inputs in golang.org/x/net/html
An attacker can craft an input to ParseFragment that causes it to enter an infinite loop and never return.
OSV
CVE-2021-33194: golang
osv·2021-05-26·CVSS 7.5
CVE-2021-33194 [HIGH] CVE-2021-33194: golang
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Ubuntu
ADSys, Juju Core, LXD vulnerabilities
vendor_ubuntu·2026-04-07·CVSS 7.5
CVE-2023-3978 [HIGH] ADSys, Juju Core, LXD vulnerabilities
Title: ADSys, Juju Core, LXD vulnerabilities
Summary: Several security issues were fixed in ADSys, Juju Core, LXD
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in LXD, ADSys, and Juju Core.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a de
Ubuntu
Go Networking vulnerabilities
vendor_ubuntu·2026-03-31·CVSS 7.5
CVE-2025-47911 [HIGH] Go Networking vulnerabilities
Title: Go Networking vulnerabilities
Summary: Several security issues were fixed in Go Networking
USN-8089-1 fixed vulnerabilities in Go Networking. This update provides
the corresponding update to code vendored in golang-golang-x-net-dev.
Original advisory details:
Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and
Kaan Onarlioglu discovered that servers using Go Networking could hang
during shutdown if preempted by a fatal error. An attacker could possibly
use this to cause a denial of service. This issue only affected Ubuntu
22.04 LTS. (CVE-2022-27664)
Arpad Ryszka and Jakob Ackermann discovered that a maliciously crafted
stream could cause excessive CPU usage in Go Networking's HPACK decoder. An
attacker could possibly use this to cause a denial of service. T
Red Hat
golang: x/net/html: infinite loop in ParseFragment
vendor_redhat·2021-05-20·CVSS 7.5
CVE-2021-33194 [HIGH] CWE-835 golang: x/net/html: infinite loop in ParseFragment
golang: x/net/html: infinite loop in ParseFragment
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.
Statement: Red Hat Developer Tools go-toolset-1.14-golang not affected because the vulnerable code is not shipped.
This vulnerability within golang and buildah shipped with RHEL-7 are out of support scope. For more information on Red Hat's support scope, visit: https://access.redhat.com/support/policy/updates/errata
For RHEL-8's go-toolset:rhel8/golang, container-tools:1.0/builda
Microsoft
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
vendor_msrc·2021-05-11·CVSS 7.5
CVE-2021-33194 [HIGH] CWE-835 golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
mitre:
Debian
CVE-2021-33194: golang-golang-x-net - golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to c...
vendor_debian·2021·CVSS 7.5
CVE-2021-33194 [HIGH] CVE-2021-33194: golang-golang-x-net - golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to c...
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.
Scope: local
bookworm: resolved (fixed in 1:0.0+git20210119.5f4716e+dfsg-4)
bullseye: resolved (fixed in 1:0.0+git20210119.5f4716e+dfsg-4)
forky: resolved (fixed in 1:0.0+git20210119.5f4716e+dfsg-4)
sid: resolved (fixed in 1:0.0+git20210119.5f4716e+dfsg-4)
trixie: resolved (fixed in 1:0.0+git20210119.5f4716e+dfsg-4)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7https://groups.google.com/g/golang-announce/c/wPunbCPkWUghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/https://github.com/golang/net/commit/37e1c6afe02340126705deced573a85ab75209d7https://groups.google.com/g/golang-announce/c/wPunbCPkWUghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
2021-05-26
Published