{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27141", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-02-17T19:57:28.435Z", "datePublished": "2026-02-26T18:50:31.830Z", "dateUpdated": "2026-02-27T19:11:57.260Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-02-26T18:50:31.830Z"}, "title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net", "descriptions": [{"lang": "en", "value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"}], "affected": [{"vendor": "golang.org/x/net", "product": "golang.org/x/net/http2", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/net/http2", "versions": [{"version": "0.50.0", "lessThan": "0.51.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "typeFrameParser"}, {"name": "ClientConn.Close"}, {"name": "ClientConn.Ping"}, {"name": "ClientConn.RoundTrip"}, {"name": "ClientConn.Shutdown"}, {"name": "ConfigureServer"}, {"name": "ConfigureTransport"}, {"name": "ConfigureTransports"}, {"name": "ConnectionError.Error"}, {"name": "ErrCode.String"}, {"name": "FrameHeader.String"}, {"name": "FrameType.String"}, {"name": "FrameWriteRequest.String"}, {"name": "Framer.ReadFrame"}, {"name": "Framer.ReadFrameForHeader"}, {"name": "Framer.ReadFrameHeader"}, {"name": "Framer.WriteContinuation"}, {"name": "Framer.WriteData"}, {"name": "Framer.WriteDataPadded"}, {"name": "Framer.WriteGoAway"}, {"name": "Framer.WriteHeaders"}, {"name": "Framer.WritePing"}, {"name": "Framer.WritePriority"}, {"name": "Framer.WritePriorityUpdate"}, {"name": "Framer.WritePushPromise"}, {"name": "Framer.WriteRSTStream"}, {"name": "Framer.WriteRawFrame"}, {"name": "Framer.WriteSettings"}, {"name": "Framer.WriteSettingsAck"}, {"name": "Framer.WriteWindowUpdate"}, {"name": "GoAwayError.Error"}, {"name": "ReadFrameHeader"}, {"name": "Server.ServeConn"}, {"name": "Setting.String"}, {"name": "SettingID.String"}, {"name": "SettingsFrame.ForeachSetting"}, {"name": "StreamError.Error"}, {"name": "Transport.CloseIdleConnections"}, {"name": "Transport.NewClientConn"}, {"name": "Transport.RoundTrip"}, {"name": "Transport.RoundTripOpt"}, {"name": "bufferedWriter.Flush"}, {"name": "bufferedWriter.Write"}, {"name": "bufferedWriterTimeoutWriter.Write"}, {"name": "chunkWriter.Write"}, {"name": "clientConnPool.GetClientConn"}, {"name": "connError.Error"}, {"name": "dataBuffer.Read"}, {"name": "duplicatePseudoHeaderError.Error"}, {"name": "gzipReader.Close"}, {"name": "gzipReader.Read"}, {"name": "headerFieldNameError.Error"}, {"name": "headerFieldValueError.Error"}, {"name": "netHTTPClientConn.Close"}, {"name": "netHTTPClientConn.RoundTrip"}, {"name": "noDialClientConnPool.GetClientConn"}, {"name": "noDialH2RoundTripper.NewClientConn"}, {"name": "noDialH2RoundTripper.RoundTrip"}, {"name": "pipe.Read"}, {"name": "priorityWriteSchedulerRFC7540.CloseStream"}, {"name": "priorityWriteSchedulerRFC7540.OpenStream"}, {"name": "priorityWriteSchedulerRFC9218.OpenStream"}, {"name": "pseudoHeaderError.Error"}, {"name": "requestBody.Close"}, {"name": "requestBody.Read"}, {"name": "responseWriter.Flush"}, {"name": "responseWriter.FlushError"}, {"name": "responseWriter.Push"}, {"name": "responseWriter.SetReadDeadline"}, {"name": "responseWriter.SetWriteDeadline"}, {"name": "responseWriter.Write"}, {"name": "responseWriter.WriteHeader"}, {"name": "responseWriter.WriteString"}, {"name": "roundRobinWriteScheduler.OpenStream"}, {"name": "serverConn.CloseConn"}, {"name": "serverConn.Flush"}, {"name": "stickyErrWriter.Write"}, {"name": "transportResponseBody.Close"}, {"name": "transportResponseBody.Read"}, {"name": "unencryptedTransport.RoundTrip"}, {"name": "writeData.String"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-476: NULL Pointer Dereference"}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"}, {"url": "https://go.dev/cl/746180"}, {"url": "https://go.dev/issue/77652"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4559"}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "CWE-476 NULL Pointer Dereference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T19:11:24.117207Z", "id": "CVE-2026-27141", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:11:57.260Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27141", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T19:11:24.117207Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T19:10:05.895Z"}}], "cna": {"title": "Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net", "affected": [{"vendor": "golang.org/x/net", "product": "golang.org/x/net/http2", "versions": [{"status": "affected", "version": "0.50.0", "lessThan": "0.51.0", "versionType": "semver"}], "packageName": "golang.org/x/net/http2", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "typeFrameParser"}, {"name": "ClientConn.Close"}, {"name": "ClientConn.Ping"}, {"name": "ClientConn.RoundTrip"}, {"name": "ClientConn.Shutdown"}, {"name": "ConfigureServer"}, {"name": "ConfigureTransport"}, {"name": "ConfigureTransports"}, {"name": "ConnectionError.Error"}, {"name": "ErrCode.String"}, {"name": "FrameHeader.String"}, {"name": "FrameType.String"}, {"name": "FrameWriteRequest.String"}, {"name": "Framer.ReadFrame"}, {"name": "Framer.ReadFrameForHeader"}, {"name": "Framer.ReadFrameHeader"}, {"name": "Framer.WriteContinuation"}, {"name": "Framer.WriteData"}, {"name": "Framer.WriteDataPadded"}, {"name": "Framer.WriteGoAway"}, {"name": "Framer.WriteHeaders"}, {"name": "Framer.WritePing"}, {"name": "Framer.WritePriority"}, {"name": "Framer.WritePriorityUpdate"}, {"name": "Framer.WritePushPromise"}, {"name": "Framer.WriteRSTStream"}, {"name": "Framer.WriteRawFrame"}, {"name": "Framer.WriteSettings"}, {"name": "Framer.WriteSettingsAck"}, {"name": "Framer.WriteWindowUpdate"}, {"name": "GoAwayError.Error"}, {"name": "ReadFrameHeader"}, {"name": "Server.ServeConn"}, {"name": "Setting.String"}, {"name": "SettingID.String"}, {"name": "SettingsFrame.ForeachSetting"}, {"name": "StreamError.Error"}, {"name": "Transport.CloseIdleConnections"}, {"name": "Transport.NewClientConn"}, {"name": "Transport.RoundTrip"}, {"name": "Transport.RoundTripOpt"}, {"name": "bufferedWriter.Flush"}, {"name": "bufferedWriter.Write"}, {"name": "bufferedWriterTimeoutWriter.Write"}, {"name": "chunkWriter.Write"}, {"name": "clientConnPool.GetClientConn"}, {"name": "connError.Error"}, {"name": "dataBuffer.Read"}, {"name": "duplicatePseudoHeaderError.Error"}, {"name": "gzipReader.Close"}, {"name": "gzipReader.Read"}, {"name": "headerFieldNameError.Error"}, {"name": "headerFieldValueError.Error"}, {"name": "netHTTPClientConn.Close"}, {"name": "netHTTPClientConn.RoundTrip"}, {"name": "noDialClientConnPool.GetClientConn"}, {"name": "noDialH2RoundTripper.NewClientConn"}, {"name": "noDialH2RoundTripper.RoundTrip"}, {"name": "pipe.Read"}, {"name": "priorityWriteSchedulerRFC7540.CloseStream"}, {"name": "priorityWriteSchedulerRFC7540.OpenStream"}, {"name": "priorityWriteSchedulerRFC9218.OpenStream"}, {"name": "pseudoHeaderError.Error"}, {"name": "requestBody.Close"}, {"name": "requestBody.Read"}, {"name": "responseWriter.Flush"}, {"name": "responseWriter.FlushError"}, {"name": "responseWriter.Push"}, {"name": "responseWriter.SetReadDeadline"}, {"name": "responseWriter.SetWriteDeadline"}, {"name": "responseWriter.Write"}, {"name": "responseWriter.WriteHeader"}, {"name": "responseWriter.WriteString"}, {"name": "roundRobinWriteScheduler.OpenStream"}, {"name": "serverConn.CloseConn"}, {"name": "serverConn.Flush"}, {"name": "stickyErrWriter.Write"}, {"name": "transportResponseBody.Close"}, {"name": "transportResponseBody.Read"}, {"name": "unencryptedTransport.RoundTrip"}, {"name": "writeData.String"}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"}, {"url": "https://go.dev/cl/746180"}, {"url": "https://go.dev/issue/77652"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4559"}], "descriptions": [{"lang": "en", "value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-02-26T18:50:31.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27141", "state": "PUBLISHED", "dateUpdated": "2026-02-27T19:11:57.260Z", "dateReserved": "2026-02-17T19:57:28.435Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-02-26T18:50:31.830Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"}, {"lang": "es", "value": "Debido a la falta de una comprobaci\u00f3n de nulo, el env\u00edo de tramas HTTP/2 0x0a-0x0f causar\u00e1 que un servidor en ejecuci\u00f3n colapse."}], "id": "CVE-2026-27141", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-26T20:31:38.017", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/746180"}, {"source": "security@golang.org", "url": "https://go.dev/issue/77652"}, {"source": "security@golang.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27141"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4559"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "golang.org/x/net/http2: golang.org/x/net/http2: Denial of Service due to malformed HTTP/2 frames", "id": "2443104", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443104"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-476", "details": ["Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic"], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-27141", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}], "public_date": "2026-02-26T18:50:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27141\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27141\nhttps://go.dev/cl/746180\nhttps://go.dev/issue/77652\nhttps://pkg.go.dev/vuln/GO-2026-4559"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.50.0,0.51.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "golang.org/x/net/http2", "source": "cna", "vendor": "golang.org/x/net"}, "product": "net/http", "vendor": "go_standard_library"}], "analysis": {"en": {"generated_at": "2026-04-16T16:05:51.793429+00:00", "value": {"mitigation_remediation": ["Upgrade the golang.org/x/net library to a version that includes the nil check fix (see GO\u20112026\u20114559).", "If an immediate upgrade is not feasible, configure the server to reject or ignore HTTP/2 frames 0x0a\u20130x0f, or disable HTTP/2 support entirely to prevent the panic. ", "After applying a fix or workaround, test the server with a crafted HTTP/2 client and monitor logs for panic events to confirm the issue is resolved."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected component is the golang.org/x/net library, specifically the http2 package used by any Go application that implements HTTP/2 support. No specific software versions are listed; therefore, any application leveraging this library that has not applied the latest patch is potentially vulnerable.", "description_and_impact": "The vulnerability in golang.org/x/net/http2 arises from a missing nil check that causes a server to panic when it receives HTTP/2 frames with types 0x0a through 0x0f. A panic triggers a crash of the running server instance, abruptly terminating service and resulting in a denial of service for all clients connected to that server. The vulnerability does not grant any attacker privilege escalation or data exposure, but it can be exploited remotely merely by sending the offending frames over an established HTTP/2 connection.", "risk_and_exploitability": "With a CVSS score of 7.5, the risk level is moderate to high. The EPSS score indicates a very low likelihood of exploitation in the wild, and the vulnerability is not currently listed in CISA\u2019s KEV catalog. Nonetheless, an attacker can trigger the panic by sending crafted HTTP/2 frames without authentication, making the vulnerability remotely exploitable with only network access to the server."}}}}, "created": "2026-02-27T09:07:11.895455+00:00", "updated": "2026-04-16T16:15:08.463823+00:00", "vendors": ["go_standard_library", "go_standard_library$PRODUCT$net/http"]}