Volerion logoVolerion
Volerion logoVolerion

Go HTTP/2 Nil Pointer Dereference Vulnerability

Vulnerability

A nil pointer dereference vulnerability has been identified in the Go HTTP/2 implementation, specifically in the x/net/http2 package, prior to version 0.51.0. The issue arises from a missing nil check when handling certain HTTP/2 frame types (0x0a-0x0f), which can lead to a panic in the server. This vulnerability was introduced by a change in the frame type parsing logic, where unassigned frame types were not properly handled, allowing for a nil function call panic to occur.

Impact

Exploitation of this vulnerability causes a runtime panic on the server, disrupting normal operation and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by sending HTTP/2 frames with types 0x0a (ALTSVC) and 0x0c (ORIGIN) to a server running an affected version of Go. The server will panic due to the unhandled frame types, causing a nil pointer dereference.

Remediation

Users can upgrade to Go version 1.25.8 or later, which includes the necessary fix. The vulnerability has been addressed in the Go vulnerability database under the entry GO-2026-4559.

Added: Feb 26, 2026, 8:34 PM
Updated: Feb 26, 2026, 8:34 PM

Vulnerability Rating

Custom Algorithm
spread
6.2
impact
2.5
exploitability
6.3
remediation
7.7
relevance
3.2
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.