The transport layer of the Go standard library rewrites CONTINUATION frames indefinitely when it receives a SETTINGS_MAX_FRAME_SIZE value of zero. This causes the server to spin in an infinite write loop, exhausting CPU and memory resources and making the application unresponsive. Consequently, a remote attacker can force a denial of service by sending a single malformed HTTP/2 SETTINGS frame.

Vulnerable components include the Go standard library’s net/http package and the golang.org/x/net/http2 module. No specific version identifiers are listed, so any installation using these packages is potentially affected until a fix is applied.

Based on the description, it is inferred that an attacker only needs to send the frame over a network connection to a vulnerable server. The description does not state authentication requirements; it is inferred that no authentication or elevated privileges are required. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, which reduce the immediate outbreak risk, yet the potential for a denial of service remains high. The CVSS score is 7.5, indicating a high severity. This aligns with the nature of the infinite loop causing resource exhaustion in high‑traffic environments where a single request can stall the entire service. Based on the description, it is inferred that the attack vector is remote and the exploitation complexity is low. Based on the description, it is inferred that the impact on data confidentiality is negligible, but the availability of the affected service is severely compromised.