Go HTTP/2 Transport Infinite Loop Flaw Prompts Emergency Patch in golang.org/x/net

A critical security vulnerability has been identified in golang.org/x/net, the widely-used Go standard library module, triggering an urgent dependency update across the ecosystem. The flaw, tracked as CVE-2026-33814 (GO-2026-4918), resides in the HTTP/2 transport implementation within net/http/internal/http2 and can cause an infinite loop condition when processing malformed SETTINGS frames.

The vulnerability emerges when an HTTP/2 peer sends a SETTINGS frame containing a SETTINGS_MAX_FRAME_SIZE parameter set to zero. Under these conditions, the transport enters an uncontrolled loop of CONTINUATION frame writes, effectively hanging the connection and potentially enabling denial-of-service conditions against any service leveraging the affected code. The issue affects applications using Go's net/http package with HTTP/2 enabled, which represents a significant portion of modern Go-based web servers, API gateways, and backend services. Patches have been committed via go.dev/cl/761581 and go.dev/cl/761640, with the fix arriving in version v0.53.0 of golang.org/x/net, upgraded from the vulnerable v0.52.0 release.

Developers using Go's HTTP/2 capabilities are advised to audit their dependency trees for the affected module version. The vulnerability carries a severity rating marked as "Unknown" in current NVD records, though the infinite loop behavior suggests meaningful availability risk in production environments. The Go security team has published an announcement via the official golang-announce mailing list. Organizations running Go-based infrastructure should prioritize patch deployment given the library's pervasive use across cloud-native applications and containerized workloads. Dependency scanning tools should flag golang.org/x/net versions below v0.53.0 for teams maintaining transitive dependency exposure.