CVE-2026-33814
published 2026-05-07CVE-2026-33814: When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.78%
51.3th percentile
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | opentofu_opentofu | >= 0 < 1.11.8 | 1.11.8 |
| go-toolset_rhel8 | golang | — | — |
| go_standard_library | net_http | < 1.25.10 | 1.25.10 |
| go_standard_library | net_http | >= 1.26.0-0 < 1.26.3 | 1.26.3 |
| golang.org | x_net_golang.org_x_net_http2 | < 0.53.0 | 0.53.0 |
| golang | go | < 1.25.10 | 1.25.10 |
| golang | go | >= 1.26.0 < 1.26.3 | 1.26.3 |
| golang | http2 | < 0.53.0 | 0.53.0 |
| ubuntu | adsys | — | — |
| ubuntu | containerd | — | — |
| ubuntu | containerd-app | — | — |
| ubuntu | containerd-stable | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-53492 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-33814 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Robert Prast discovered that containerd incorrectly propagated labels
from image configurations to container
Ubuntu
containerd vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 7.5
CVE-2026-47262 [HIGH] containerd vulnerabilities
Title: containerd vulnerabilities
Summary: Several security issues were fixed in containerd.
It was discovered that containerd incorrectly handled HTTP/2 SETTINGS
frames. A remote attacker could possibly use this issue to cause containerd
to enter an infinite loop, resulting in a denial of service. (CVE-2026-33814)
Jakub Ciolek and Kyle Elliott discovered that containerd incorrectly
handled group parsing when creating containers from images. An attacker
could possibly use this issue to cause containerd to consume excessive
memory, resulting in a denial of service. (CVE-2026-47262)
Henry Beberman and Robert Prast discovered that containerd incorrectly
validated image references when importing container checkpoints. An
attacker could possibly use this issue to poison the local image cach
Ubuntu
ADSys vulnerabilities
vendor_ubuntu·2026-06-15·CVSS 7.5
CVE-2026-33814 [HIGH] ADSys vulnerabilities
Title: ADSys vulnerabilities
Summary: Several security issues were fixed in ADSys.
It was discovered that ADSys did not properly handle certain HTTP/2 frames.
A remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-27141)
It was discovered that ADSys did not properly handle certain HTTP/2
SETTINGS frames. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2026-33814)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
vendor_redhat·2026-05-07·CVSS 7.5
CVE-2026-33814 [HIGH] CWE-606 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
A flaw was found in the HTTP/2 protocol implementation within the Go standard library (golang.org/x/net and net/http/internal/http2). A remote attacker can exploit this vulnerability by sending a specially crafted HTTP/2 SETTINGS frame with the SETTINGS_MAX_FRAME_SIZE parameter set to zero. This malicious frame causes the transport layer to enter an infinite loop of writing CONTINUATION frames, leading to resource exhaustion and a Denial of Service (DoS) condition.
Statement: This Important denial o
GHSA
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server
ghsa·2026-05-20·CVSS 7.5
CVE-2026-33814 [HIGH] CWE-835 OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server
OpenTofu: Excessive resource usage in "tofu init" when installing dependencies from attacker-controlled server
### Impact
Unauthenticated denial of service.
### Summary
When installing provider or module packages from attacker-controlled servers, the server may cause `tofu init`to enter an infinite loop sending garbage data to that server.
Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. Other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources.
These vulnerabilities **do not** permit arbitrary code execution or allow disclosure of confidential information.
### Details
O
VulDB
http2-net-http up to 0.52.x on Go SETTINGS_MAX_FRAME_SIZE infinite loop
vuldb·2026-05-07
CVE-2026-33814 [LOW] http2-net-http up to 0.52.x on Go SETTINGS_MAX_FRAME_SIZE infinite loop
A vulnerability labeled as problematic has been found in http2-net-http up to 0.52.x on Go. This affects an unknown function. Such manipulation of the argument SETTINGS_MAX_FRAME_SIZE leads to infinite loop.
This vulnerability is uniquely identified as CVE-2026-33814. The attack can be launched remotely. No exploit exists.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
bugzilla·2026-05-07·CVSS 7.5
CVE-2026-33814 [HIGH] CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
CVE-2026-33814 net/http/internal/http2: golang: golang.org/x/net: Go HTTP/2: Denial of Service via malformed SETTINGS_MAX_FRAME_SIZE frame
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 10
Via RHSA-2026:22120 https://access.redhat.com/errata/RHSA-2026:22120
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2026:22121 https://access.redhat.com/errata/RHSA-2026:22121
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2026:22112 https://access.redhat.com/errata/RHSA-2026:22112
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://go.dev/cl/761581https://go.dev/cl/761640https://go.dev/issue/78476https://groups.google.com/g/golang-announce/c/qcCIEXso47Mhttps://pkg.go.dev/vuln/GO-2026-4918https://access.redhat.com/errata/RHSA-2026:23262https://access.redhat.com/errata/RHSA-2026:23264https://access.redhat.com/errata/RHSA-2026:33120https://access.redhat.com/errata/RHSA-2026:33123https://access.redhat.com/errata/RHSA-2026:33142https://access.redhat.com/errata/RHSA-2026:33150https://access.redhat.com/security/cve/CVE-2026-33814https://bugzilla.redhat.com/show_bug.cgi?id=2467815https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33814.json
2026-05-07
Published