Skip to content

Security: Fix CVE-2026-33814 (golang.org/x/net v0.48.0→v0.53.0) on release-v0.20.x#1668

Open
jkhelil wants to merge 1 commit into
release-v0.20.xfrom
fix/cve-2026-33814-golang-x-net-release-v0.20.x-attempt-1
Open

Security: Fix CVE-2026-33814 (golang.org/x/net v0.48.0→v0.53.0) on release-v0.20.x#1668
jkhelil wants to merge 1 commit into
release-v0.20.xfrom
fix/cve-2026-33814-golang-x-net-release-v0.20.x-attempt-1

Conversation

@jkhelil
Copy link
Copy Markdown
Member

@jkhelil jkhelil commented May 13, 2026

Summary

This PR fixes CVE-2026-33814 by upgrading golang.org/x/net from v0.48.0 to v0.53.0 on the release-v0.20.x branch (pipelines-1.15).

CVE Details

  • CVE ID: CVE-2026-33814
  • OSV ID: GO-2026-4918
  • Package: golang.org/x/net
  • Impact: Infinite loop in HTTP/2 transport when receiving a maliciously crafted SETTINGS_MAX_FRAME_SIZE value
  • Vulnerable versions: < v0.53.0
  • Fixed version: v0.53.0

Fix Description

Updated golang.org/x/net from v0.48.0 to v0.53.0. Also updated related golang.org/x/* packages to maintain consistency:

  • golang.org/x/sync v0.19.0 → v0.20.0
  • golang.org/x/sys v0.39.0 → v0.43.0
  • golang.org/x/term v0.38.0 → v0.42.0
  • golang.org/x/text v0.32.0 → v0.36.0
  • golang.org/x/tools v0.39.0 → v0.43.0

Note: No Jira ticket filed for this CVE on the release-v0.20.x branch. The fix was identified via OSV vulnerability scanning.

Test Results

Status: ⚠️ PARTIAL - build and vet passed, full test suite not run

Build: ✅ go build ./cmd/... - passed
go mod tidy: ✅ passed
go mod verify: ✅ all modules verified
Vet: ✅ go vet ./pkg/... ./internal/... - passed

Breaking Changes

None. The golang.org/x/net package maintains backward compatibility. The HTTP/2 transport fix is internal and does not change the public API.

Verification Steps

  • Confirm CVE-2026-33814 is resolved by running govulncheck
  • Verify HTTP/2 connections work correctly
  • Review changes in x/net/http2/frame.go (the core fix)

Risk Assessment

Factor Assessment
Version change v0.48.0 → v0.53.0 (5 patch releases in x/ module series)
API compatibility ✅ golang.org/x/* maintains backward compatibility
Test coverage Build/vet passed
Overall risk Low-Medium - standard golang.org/x/* security update

🤖 Generated by CVE Fixer Workflow

Security fix: update golang.org/x/net from v0.48.0 to v0.53.0 to address CVE-2026-33814 (HTTP/2 infinite loop)

@jkhelil @claude
fix(cve): CVE-2026-33814 - golang.org/x/net HTTP/2 infinite loop
6d686ad 
- Update golang.org/x/net from v0.48.0 to v0.53.0
- Addresses infinite loop in HTTP/2 transport when receiving bad
  SETTINGS_MAX_FRAME_SIZE (CVE-2026-33814, GO-2026-4918)
- Also updates related golang.org/x/* packages to consistent versions:
  x/sync v0.19.0→v0.20.0, x/sys v0.39.0→v0.43.0,
  x/term v0.38.0→v0.42.0, x/text v0.32.0→v0.36.0,
  x/tools v0.39.0→v0.43.0
- All updates follow the minimum-safe-version principle

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@tekton-robot tekton-robot requested review from lcarva and wlynch May 13, 2026 06:30
@tekton-robot tekton-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label May 13, 2026
This was referenced May 13, 2026
Merged
Merged
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label May 14, 2026
@anithapriyanatarajan
Copy link
Copy Markdown
Contributor

anithapriyanatarajan commented May 14, 2026

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2026
@anithapriyanatarajan anithapriyanatarajan added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 14, 2026
@tekton-robot
Copy link
Copy Markdown

tekton-robot commented May 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcarva lcarva Awaiting requested review from lcarva

@wlynch wlynch Awaiting requested review from wlynch

At least 1 approving review is required to merge this pull request.

Assignees

@anithapriyanatarajan anithapriyanatarajan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jkhelil @anithapriyanatarajan @tekton-robot