Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net — CVE-2026-27141

Summary

Advisory CVE-2026-27141. Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net Vendor: Microsoft. Source: MSRC. Threat: high. CVSS 7.5. See the official advisory for details.

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• Unexpected session resumption in crypto/tls CVE-2025-68121
• Bytes is vulnerable to integer overflow in BytesMut::reserve CVE-2026-25541
• In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables re… CVE-2026-28364
• Malformed Valkey Cluster bus message can lead to Remote DoS CVE-2026-21863
• Valkey Affected by RESP Protocol Injection via Lua error_reply CVE-2025-67733
• WordPress Oxygen theme <= 6.0.8 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-69299
• btrfs: reject new transactions if the fs is fully read-only CVE-2026-23214
• bus: fsl-mc: fix use-after-free in driver_override_show() CVE-2026-23221
• crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode CVE-2025-71231
• crypto: virtio - Add spinlock protection with virtqueue notification CVE-2026-23229
• drm/amd/pm: Disable MMIO access during SMU Mode 1 reset CVE-2026-23213
• drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free CVE-2026-23227