Cyber Posture

CVE-2026-27141

High

Published: 26 February 2026

Published
26 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27141 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Go (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote exploitation of HTTP/2 server implementation (nil dereference in frame handling) to crash the process, directly matching Application or System Exploitation for Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic

Deeper analysisAI

CVE-2026-27141 is a vulnerability in the Go programming language's net/http package, specifically impacting HTTP/2 server implementations. Due to a missing nil check, the receipt of HTTP/2 frames with types 0x0a through 0x0f triggers a server panic. This issue, published on 2026-02-26, is categorized under CWE-476 (NULL Pointer Dereference) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

A remote, unauthenticated attacker can exploit this vulnerability by sending the specified HTTP/2 frames to a vulnerable server over the network. Exploitation requires low complexity and no user interaction, resulting in a denial-of-service condition where the server panics and crashes, necessitating a manual restart.

Mitigation details are outlined in Go advisories, including the vulnerability entry GO-2026-4559 at https://pkg.go.dev/vuln/GO-2026-4559. The issue is tracked at https://go.dev/issue/77652, with a patch submitted via code review https://go.dev/cl/746180. Additional information is available from the NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-27141. Affected parties should upgrade to a patched Go release incorporating the fix.

Details

CWE(s)
CWE-476

Affected Products

Go
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476
CVE-2026-31256Shared CWE-476
CVE-2025-69649Shared CWE-476
CVE-2026-25795Shared CWE-476
CVE-2026-22998Shared CWE-476
CVE-2025-63648Shared CWE-476
CVE-2026-34874Shared CWE-476
CVE-2024-48615Shared CWE-476

References