CVE-2026-27141: Sending certain HTTP/2 frames can cause a server to panic in golang.org/x/net

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Status

Not Exploited

Patch Tuesday

2026-Feb

Released

2026-03-05

EPSS Score

0.06% (percentile: 19.7%)

Affected Products (65)

Other

• 20980-17086
• 17591-17084
• 20982-17084
• 20983-17086
• 20985-17084
• 20989-17084
• 20990-17084
• 20993-17084
• 20995-17086
• 19431-17084
• 20996-17084
• 20947-17086
• 21001-17086
• 21002-17086
• 21003-17086
• 21004-17086
• 20977-17084
• 21005-17086
• 21008-17084
• 21010-17084
• 17793-17084
• 21012-17084
• 21014-17084
• 21015-17084
• 21017-17086
• 20946-17086
• 21019-17084
• 21020-17084
• 20969-17084
• 20949-17086
• 20981-17084
• 20915-17086
• 20984-17084
• 20986-17084
• 20987-17086
• 20988-17084
• 20991-17084
• 20992-17084
• 20994-17084
• 20941-17086
• 20997-17084
• 19322-17084
• 20934-17086
• 20998-17086
• 20999-17086
• 21000-17086
• 20701-17086
• 20975-17084
• 20582-17084
• 20971-17084
• ... and 13 more

Open Source Software

• cbl2 kata-containers 3.2.0.azl2-7 on CBL Mariner 2.0
• cbl2 kata-containers-cc 3.2.0.azl2-8 on CBL Mariner 2.0

Revision History

• 2026-03-05: Information published.