{"id":"GO-2026-4559","summary":"Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net","details":"Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic","aliases":["CVE-2026-27141"],"modified":"2026-05-15T10:59:06.132973782Z","published":"2026-02-26T18:24:17Z","related":["CGA-7r65-fmrg-cx4q","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2026-4559","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27141"},{"type":"FIX","url":"https://go.dev/cl/746180"},{"type":"REPORT","url":"https://go.dev/issue/77652"}],"affected":[{"package":{"name":"golang.org/x/net","ecosystem":"Go","purl":"pkg:golang/golang.org/x/net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.50.0"},{"fixed":"0.51.0"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/net/http2","symbols":["ClientConn.Close","ClientConn.Ping","ClientConn.RoundTrip","ClientConn.Shutdown","ConfigureServer","ConfigureTransport","ConfigureTransports","ConnectionError.Error","ErrCode.String","FrameHeader.String","FrameType.String","FrameWriteRequest.String","Framer.ReadFrame","Framer.ReadFrameForHeader","Framer.ReadFrameHeader","Framer.WriteContinuation","Framer.WriteData","Framer.WriteDataPadded","Framer.WriteGoAway","Framer.WriteHeaders","Framer.WritePing","Framer.WritePriority","Framer.WritePriorityUpdate","Framer.WritePushPromise","Framer.WriteRSTStream","Framer.WriteRawFrame","Framer.WriteSettings","Framer.WriteSettingsAck","Framer.WriteWindowUpdate","GoAwayError.Error","ReadFrameHeader","Server.ServeConn","Setting.String","SettingID.String","SettingsFrame.ForeachSetting","StreamError.Error","Transport.CloseIdleConnections","Transport.NewClientConn","Transport.RoundTrip","Transport.RoundTripOpt","bufferedWriter.Flush","bufferedWriter.Write","bufferedWriterTimeoutWriter.Write","chunkWriter.Write","clientConnPool.GetClientConn","connError.Error","dataBuffer.Read","duplicatePseudoHeaderError.Error","gzipReader.Close","gzipReader.Read","headerFieldNameError.Error","headerFieldValueError.Error","netHTTPClientConn.Close","netHTTPClientConn.RoundTrip","noDialClientConnPool.GetClientConn","noDialH2RoundTripper.NewClientConn","noDialH2RoundTripper.RoundTrip","pipe.Read","priorityWriteSchedulerRFC7540.CloseStream","priorityWriteSchedulerRFC7540.OpenStream","priorityWriteSchedulerRFC9218.OpenStream","pseudoHeaderError.Error","requestBody.Close","requestBody.Read","responseWriter.Flush","responseWriter.FlushError","responseWriter.Push","responseWriter.SetReadDeadline","responseWriter.SetWriteDeadline","responseWriter.Write","responseWriter.WriteHeader","responseWriter.WriteString","roundRobinWriteScheduler.OpenStream","serverConn.CloseConn","serverConn.Flush","stickyErrWriter.Write","transportResponseBody.Close","transportResponseBody.Read","typeFrameParser","unencryptedTransport.RoundTrip","writeData.String"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4559.json"}}],"schema_version":"1.7.5"}