CVE-2026-27141 — NULL Pointer Dereference in X NET Golang.org X NET Http2

CWE-476 — NULL Pointer Dereference12 documents10 sources

Severity

7.5HIGHNVD

EPSS

0.0%

top 94.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X NET Golang.org X NET Http2 Github.com Traefik Traefik V2 Github.com Traefik Traefik V3 +1 more

Timeline

PublishedFeb 26

Latest updateMar 12

Description

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5golang.org/x_net_golang.org_x_net_http20.50.0 — 0.51.0

▶Gogolang.org/x_net0.50.0 — 0.51.0

▶Gogithub.com/traefik_traefik_v2< 2.11.40

▶Gogithub.com/traefik_traefik_v3< 3.6.10

🔴Vulnerability Details

GHSA

Traefik: HTTP/2 frames can cause a running server to panic↗2026-03-12

▶

OSV

Traefik: HTTP/2 frames can cause a running server to panic↗2026-03-12

▶

OSV

CVE-2026-27141: Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic↗2026-02-26

▶

CVEList

Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net↗2026-02-26

▶

GHSA

GHSA-8fj7-8h3w-xwfm: Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic↗2026-02-26

▶

📋Vendor Advisories

Red Hat

golang.org/x/net/http2: golang.org/x/net/http2: Denial of Service due to malformed HTTP/2 frames↗2026-02-26

▶

Microsoft

Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net↗2026-02-10

▶

Debian

CVE-2026-27141: golang-golang-x-net - Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running s...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27141 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-27141 golang.org/x/net/http2: golang.org/x/net/http2: Denial of Service due to malformed HTTP/2 frames↗2026-02-26

▶