CVE-2026-33814

Daily digests

A malformed HTTP/2 SETTINGS_MAX_FRAME_SIZE value can send Go's net/http2 library into an infinite loop, effectively hanging any service built on it. An attacker just needs to send a bad HTTP/2 frame to tie up the process. No authentication required, no user interaction needed.

• Daily Digest · May 15, 2026

  Cisco SD-WAN auth bypass, CVSS 10.0