The transport layer of the Go standard library rewrites CONTINUATION frames indefinitely when it receives a SETTINGS_MAX_FRAME_SIZE value of zero. This causes the server to spin in an infinite write loop, exhausting CPU and memory resources and making the application unresponsive. Consequently, a remote attacker can force a denial of service by sending a single malformed HTTP/2 SETTINGS frame.

Vulnerable components include the Go standard library’s net/http package and the golang.org/x/net/http2 module. No specific version identifiers are listed, so any installation using these packages is potentially affected until a fix is applied.

Because the defect is triggered by a malformed HTTP/2 SETTINGS frame, an attacker only needs to send the frame over a network connection to the vulnerable server. No authentication or elevated privileges are required. Although the EPSS score is not available, the absence of a known exploit in publicly available exploit databases and the fact that the vulnerability is listed as not in the CISA KEV catalog reduce the immediate outbreak risk, yet the potential for a denial of service remains high. The CVSS score is not provided in the public data, but the nature of the infinite loop implies a high impact severity, especially in high‑traffic environments where a single request can stall the entire service. Given that the vulnerability is triggered by an external request, the attack vector is remote based, and the exploitation complexity is low. The impact on data confidentiality is negligible, but the availability of the affected service is severely compromised.