azurelinux-security · azurelinux-security · May 13, 2026
diff --git a/SPECS/ignition-flatcar/CVE-2026-33814.patch b/SPECS/ignition-flatcar/CVE-2026-33814.patch
@@ -0,0 +1,48 @@
+From f8fa6c0656fb203051061615a79c8d0fe6342f37 Mon Sep 17 00:00:00 2001
+From: "Nicholas S. Husin" <nsh@golang.org>
+Date: Tue, 31 Mar 2026 15:15:30 -0400
+Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
+
+This CL backports https://go.dev/cl/761581 to x/net.
+
+Fixes golang/go#78476
+Fixes CVE-2026-33814
+
+Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
+Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: Nicholas Husin <husin@google.com>
+Reviewed-by: Damien Neil <dneil@google.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch
+---
+ vendor/golang.org/x/net/http2/transport.go | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
+index f26356b..a401b27 100644
+--- a/vendor/golang.org/x/net/http2/transport.go
++++ b/vendor/golang.org/x/net/http2/transport.go
+@@ -2858,6 +2858,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
+
+ 	var seenMaxConcurrentStreams bool
+ 	err := f.ForeachSetting(func(s Setting) error {
++		if err := s.Valid(); err != nil {
++			return err
++		}
+ 		switch s.ID {
+ 		case SettingMaxFrameSize:
+ 			cc.maxFrameSize = s.Val
+@@ -2889,9 +2892,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
+ 			cc.henc.SetMaxDynamicTableSize(s.Val)
+ 			cc.peerMaxHeaderTableSize = s.Val
+ 		case SettingEnableConnectProtocol:
+-			if err := s.Valid(); err != nil {
+-				return err
+-			}
+ 			// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,
+ 			// we require that it do so in the first SETTINGS frame.
+ 			//
+-- 
+2.45.4
+
diff --git a/SPECS/ignition-flatcar/ignition-flatcar.spec b/SPECS/ignition-flatcar/ignition-flatcar.spec
@@ -24,7 +24,7 @@ Version:                2.22.0
 %global dracutlibdir %{_prefix}/lib/dracut
 
 Name:           ignition-flatcar
-Release:        3%{?dist}
+Release:        4%{?dist}
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Summary:        First boot installer and configuration tool
@@ -55,6 +55,7 @@ Patch18:        0019-usr-share-oem-oem.patch
 Patch19:        0020-internal-exec-stages-mount-Mount-oem.patch
 Patch20:        CVE-2026-27141.patch
 Patch21:        CVE-2026-29181.patch
+Patch22:        CVE-2026-33814.patch
 
 BuildRequires: libblkid-devel
 BuildRequires: systemd-rpm-macros
@@ -203,6 +204,9 @@ VERSION=%{version} GOARCH=%{goarch} ./test
 %endif
 
 %changelog
+* Wed May 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.22.0-4
+- Patch for CVE-2026-33814
+
 * Mon May 04 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 2.22.0-3
 - Patch for CVE-2026-29181