CVE-2026-33814
Publication date 7 May 2026
Last updated 18 June 2026
Ubuntu priority
Description
When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| adsys | 26.04 LTS resolute |
Fixed 0.16.4ubuntu1.1
|
| 25.10 questing |
Fixed 0.16.3ubuntu0.25.10.2
|
|
| 24.04 LTS noble |
Fixed 0.16.3~24.04.2ubuntu0.24.04.1
|
|
| 22.04 LTS jammy |
Fixed 0.16.3~22.04.2ubuntu0.22.04.1
|
|
| 20.04 LTS focal |
Fixed 0.9.2~20.04.2ubuntu0.1+esm2
|
|
| containerd | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage | |
| golang-golang-x-net | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| golang-golang-x-net-dev | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| google-guest-agent | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage | |
| juju-core | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 16.04 LTS xenial |
Needs evaluation
|
|
| lxd | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialNotes
octagalland
google-guest-agent, adsys, juju-core and lxd contain a vendored copy of golang-golang-x-net
mdeslaur
containerd contains a vendored copy of golang-golang-x-net
Severity score breakdown
CVSS version: CVSS v3.0
Base score
7.5 · High
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8430-1
- ADSys vulnerabilities
- 15 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-33814
- https://go-review.googlesource.com/c/go/+/761581
- https://go-review.googlesource.com/c/net/+/761640
- https://github.com/golang/go/issues/78476
- https://go.dev/cl/761581
- https://go.dev/cl/761640
- https://go.dev/issue/78476
- https://groups.google.com/g/golang-announce/c/qcCIEXso47M
- https://pkg.go.dev/vuln/GO-2026-4918