Skip to content

fix: upgrade Go to 1.26.3 to resolve CVE-2026-33814#3099

Merged
migmartri merged 2 commits intomainfrom
chainloop/fix-cve-2026-33814-20260510-090144
May 10, 2026
Merged

fix: upgrade Go to 1.26.3 to resolve CVE-2026-33814#3099
migmartri merged 2 commits intomainfrom
chainloop/fix-cve-2026-33814-20260510-090144

Conversation

@chainloop-platform
Copy link
Copy Markdown
Contributor

@chainloop-platform chainloop-platform Bot commented May 10, 2026

Summary

Upgrade Go from 1.26.2 to 1.26.3 to remediate CVE-2026-33814, an infinite loop vulnerability in HTTP/2 transport that affects all gRPC clients in the Chainloop codebase.

Vulnerability Fixed

CVE-2026-33814 (HIGH severity)

When processing HTTP/2 SETTINGS frames, the Go transport enters an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0. This can cause denial of service, resource exhaustion, and service disruption in CI/CD pipelines.

Changes Made

  • Updated go.mod to use Go 1.26.3 (from 1.26.2)
  • Go 1.26.3 includes the fix that properly validates SETTINGS_MAX_FRAME_SIZE values to prevent the infinite loop condition

Impact

This vulnerability is reachable in Chainloop because:

  • The Control Plane and Artifact CAS gRPC servers use HTTP/2 for all RPC communication
  • The CLI gRPC clients establish outbound HTTP/2 connections to Control Plane and CAS services
  • A compromised server could exploit this to cause clients to hang indefinitely, blocking attestation workflows

The fix ensures all gRPC clients are protected from malicious servers sending malformed SETTINGS frames.

@chainloop-platform
fix: upgrade Go to 1.26.3 to resolve CVE-2026-33814
74506ea 
CVE-2026-33814 is an infinite loop vulnerability in Go's HTTP/2 transport
implementation. When an HTTP/2 client receives a SETTINGS frame with
SETTINGS_MAX_FRAME_SIZE set to 0 from a malicious server, the transport
enters an infinite loop writing CONTINUATION frames.

This vulnerability affects all gRPC clients in the Chainloop codebase,
including the CLI and inter-service communication components, as gRPC
uses HTTP/2 transport.

Upgrading to Go 1.26.3 includes the fix that properly validates
SETTINGS_MAX_FRAME_SIZE values to prevent the infinite loop condition.

Assisted-by: Claude Code
migmartri
migmartri previously approved these changes May 10, 2026
View reviewed changes
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@migmartri
chore: update Dockerfiles and docs to Go 1.26.3
84ebac4 
Propagate the Go 1.26.3 upgrade to the goreleaser Dockerfiles and CLAUDE.md so the runtime images and documentation match go.mod.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri merged commit 34f232b into main May 10, 2026
15 checks passed
@migmartri migmartri deleted the chainloop/fix-cve-2026-33814-20260510-090144 branch May 10, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@migmartri migmartri migmartri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@migmartri