Go HTTP/2 Transport Infinite Loop Vulnerability

A denial-of-service vulnerability has been identified in the Go programming language's HTTP/2 implementation. When the HTTP/2 transport layer processes SETTINGS frames, it can enter an infinite loop if it receives a SETTINGS_MAX_FRAME_SIZE value of 0. This flaw affects the net/http package in Go versions prior to 1.25.10 and 1.26.0 through 1.26.3, as well as the golang.org/x/net/http2 package before v0.53.0. The infinite loop occurs because the transport continuously writes CONTINUATION frames, potentially leading to resource exhaustion on the client side.

Impact

Exploitation of this vulnerability causes the HTTP/2 transport to hang indefinitely, repeatedly writing CONTINUATION frames. This behavior can be leveraged by a malicious server to disrupt a client's normal operations, effectively causing a denial-of-service condition.

Remediation

Users can upgrade to Go versions 1.26.3 or 1.25.10, both of which include the necessary fix. Instructions for downloading these versions are available on the Go website.