Vulnerability Report: GO-2026-4559
- CVE-2026-27141
- Affects: golang.org/x/net
- Published: Feb 26, 2026
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic
For detailed information about this vulnerability, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27141.
Affected Packages
-
PathGo VersionsSymbols
-
from v0.50.0 before v0.51.0
40 affected symbols
- ClientConn.Close
- ClientConn.Ping
- ClientConn.RoundTrip
- ClientConn.Shutdown
- ConfigureServer
- ConfigureTransport
- ConfigureTransports
- ConnectionError.Error
- ErrCode.String
- FrameHeader.String
- FrameType.String
- FrameWriteRequest.String
- Framer.ReadFrame
- Framer.ReadFrameForHeader
- Framer.ReadFrameHeader
- Framer.WriteContinuation
- Framer.WriteData
- Framer.WriteDataPadded
- Framer.WriteGoAway
- Framer.WriteHeaders
- Framer.WritePing
- Framer.WritePriority
- Framer.WritePriorityUpdate
- Framer.WritePushPromise
- Framer.WriteRSTStream
- Framer.WriteRawFrame
- Framer.WriteSettings
- Framer.WriteSettingsAck
- Framer.WriteWindowUpdate
- GoAwayError.Error
- ReadFrameHeader
- Server.ServeConn
- Setting.String
- SettingID.String
- SettingsFrame.ForeachSetting
- StreamError.Error
- Transport.CloseIdleConnections
- Transport.NewClientConn
- Transport.RoundTrip
- Transport.RoundTripOpt
Aliases
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-27141
- https://go.dev/cl/746180
- https://go.dev/issue/77652
- https://vuln.go.dev/ID/GO-2026-4559.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.