Coder Patches Critical HTTP/2 Infinite Loop DoS Vulnerability in golang.org/x/net (CVE-2026-33814)

A security patch merged into the Coder v2.31.x release branch addresses CVE-2026-33814, a denial-of-service vulnerability in golang.org/x/net/http2. The flaw stems from an infinite loop condition triggered when an HTTP/2 client sends a SETTINGS_MAX_FRAME_SIZE value of zero, potentially allowing remote actors to exhaust server resources without authentication. The fix bumps golang.org/x/net from v0.52.0 to v0.53.0.

The pull request, described as a cherry-pick from the main branch (PR #24259), implements the minimal required change via `go get golang.org/x/[email protected]` followed by `go mod tidy`. The original broader update touched seven golang.org/x packages, but divergent x/mod versions between main and the release/2.31 branch necessitated a targeted manual approach. The patch also carries transitive dependency bumps: x/crypto v0.50.0, x/sys v0.43.0, x/term v0.42.0, and x/text v0.36.0. This is tracked under internal issue ENT-10.

HTTP/2 implementations handling external or untrusted traffic face the highest exposure if left unpatched. Any Coder deployment or derivative product relying on the affected Go network stack could be vulnerable to resource exhaustion attacks via malformed connection settings. Organizations running the v2.31.x release line should prioritize applying this update, particularly in environments where Coder serves as the development environment backend. The upstream golang.org/x/net library is foundational to a wide range of Go-based tooling and infrastructure, making this patch relevant beyond the Coder ecosystem alone.