Description
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in golang.org/x/net/http2 arises from a missing nil check that causes a server to panic when it receives HTTP/2 frames with types 0x0a through 0x0f. A panic triggers a crash of the running server instance, abruptly terminating service and resulting in a denial of service for all clients connected to that server. The vulnerability does not grant any attacker privilege escalation or data exposure, but it can be exploited remotely merely by sending the offending frames over an established HTTP/2 connection.

Affected Systems

The affected component is the golang.org/x/net library, specifically the http2 package used by any Go application that implements HTTP/2 support. No specific software versions are listed; therefore, any application leveraging this library that has not applied the latest patch is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 7.5, the risk level is moderate to high. The EPSS score indicates a very low likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA’s KEV catalog. Nonetheless, an attacker can trigger the panic by sending crafted HTTP/2 frames without authentication, making the vulnerability remotely exploitable with only network access to the server.

Generated by OpenCVE AI on April 16, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the golang.org/x/net library to a version that includes the nil check fix (see GO‑2026‑4559).
  • If an immediate upgrade is not feasible, configure the server to reject or ignore HTTP/2 frames 0x0a–0x0f, or disable HTTP/2 support entirely to prevent the panic.
  • After applying a fix or workaround, test the server with a crafted HTTP/2 client and monitor logs for panic events to confirm the issue is resolved.

Generated by OpenCVE AI on April 16, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Go Standard Library
Go Standard Library net/http
Vendors & Products Go Standard Library
Go Standard Library net/http

Thu, 26 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
Title Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net
References

Subscriptions

Go Standard Library Net/http
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-02-27T19:11:57.260Z

Reserved: 2026-02-17T19:57:28.435Z

Link: CVE-2026-27141

cve-icon Vulnrichment

Updated: 2026-02-27T19:10:05.895Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T20:31:38.017

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27141

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-26T18:50:31Z

Links: CVE-2026-27141 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses