CVE-2021-44716: High severity Golang Go vulnerability
Published Dec 9, 2021
·Updated
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.
Reference: https://github.com/golang/go/issues/50058
Other sources
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
Affected Software
107 affected componentsFixes available
redhat/openshift-serverless-clients<0:1.0.0-2.el8
0:1.0.0-2.el8
redhat/go-toolset<1.16-0:1.16.12-1.el7_9
1.16-0:1.16.12-1.el7_9
redhat/go-toolset<1.16-golang-0:1.16.12-1.el7_9
1.16-golang-0:1.16.12-1.el7_9
redhat/grafana<0:7.5.9-5.el8_5
0:7.5.9-5.el8_5
redhat/grafana<0:7.3.6-4.el8_4
0:7.3.6-4.el8_4
redhat/etcd<0:3.3.23-9.el7
0:3.3.23-9.el7
redhat/grafana<0:5.2.4-5.el7
0:5.2.4-5.el7
redhat/cri-o<0:1.23.0-92.rhaos4.10.gitdaab4d1.el7
0:1.23.0-92.rhaos4.10.gitdaab4d1.el7
redhat/openshift<0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7
0:4.10.0-202202250816.p0.ge419edf.assembly.stream.el7
redhat/containernetworking-plugins<0:0.9.1-2.rhaos4.10.el8
0:0.9.1-2.rhaos4.10.el8
redhat/butane<0:0.13.1-2.rhaos4.9.el8
0:0.13.1-2.rhaos4.9.el8
redhat/ignition<0:2.12.0-3.rhaos4.9.el8
0:2.12.0-3.rhaos4.9.el8
redhat/mcg<0:5.10.0-72.el8
0:5.10.0-72.el8
redhat/etcd<0:3.3.23-7.el8
0:3.3.23-7.el8
redhat/kubevirt<0:4.12.0-1057.el7
0:4.12.0-1057.el7
redhat/kubevirt<0:4.12.0-1057.el8
0:4.12.0-1057.el8
Golang Go<1.16.12
Golang Go>=1.17.0<1.17.5
Debian Debian Linux=9.0
NetApp Cloud Insights Telegraf
redhat/Go<1.17.5
1.17.5
redhat/Go<1.16.12
1.16.12
IBM Data Virtualization on Cloud Pak for Data<=3.0
IBM Watson Query on Cloud Pak for Data<=2.2
IBM Watson Query on Cloud Pak for Data<=2.1
IBM Watson Query on Cloud Pak for Data<=2.0
IBM Data Virtualization on Cloud Pak for Data<=1.8
IBM Data Virtualization on Cloud Pak for Data<=1.7
Microsoft cbl2 nmi 1.8.7-15
Microsoft azl3 prometheus-process-exporter 0.7.10-15
Microsoft cbl2 local-path-provisioner 0.0.21-18
Microsoft cbl2 rook 1.6.2-26
Microsoft azl3 multus 3.8-13
Microsoft cbl2 application-gateway-kubernetes-ingress 1.4.0-25
Microsoft cbl2 csi-driver-lvm 0.4.1-17
Microsoft cbl2 keda 2.4.0-29
Microsoft azl3 node-problem-detector 0.8.10-18
Microsoft cbl2 cri-o 1.22.3-14
Microsoft cbl2 flannel 0.14.0-25
Microsoft cbl2 prometheus-process-exporter 0.7.10-21
Microsoft cbl2 node-problem-detector 0.8.10-20
Microsoft cbl2 prometheus-node-exporter 1.3.1-26
Microsoft cbl2 moby-cli 20.10.27-5
Microsoft cbl2 jx 3.2.236-21
Microsoft cbl2 libcontainers-common 20210626-7
Microsoft cbl2 git-lfs 3.1.4-17
Microsoft cbl2 moby-buildx 0.7.1-24
Microsoft azl3 keda 2.4.0-15
Microsoft cbl2 cf-cli 8.4.0-24
Microsoft cbl2 application-gateway-kubernetes-ingress 1.4.0-25
Microsoft azl3 moby-engine 25.0.3-1
Microsoft azl3 multus 4.0.2-1
Microsoft azl3 prometheus-process-exporter 0.8.2-1
Microsoft azl3 keda 2.14.0-1
Microsoft azl3 moby-engine 20.10.25-3
Microsoft cbl2 application-gateway-kubernetes-ingress 1.4.0-19
Microsoft cbl2 kured 1.13.2-1
Microsoft azl3 node-problem-detector 0.8.15-1
Microsoft cbl2 kube-vip-cloud-provider 0.0.2-22
Microsoft cbl2 golang 1.17.8-1
Microsoft cbl2 cf-cli 8.4.0-16
Microsoft cbl2 csi-driver-lvm 0.4.1-15
Microsoft cbl2 flannel 0.14.0-21
Microsoft cbl2 kube-vip-cloud-provider 0.0.2-16
Microsoft cbl2 moby-buildx 0.7.1-18
Microsoft cbl2 keda 2.4.0-19
Microsoft cbl2 jx 3.2.236-16
Microsoft cbl2 libcontainers-common 20210626-3
Microsoft cbl2 prometheus-node-exporter 1.3.1-24
Microsoft cbl2 local-path-provisioner 0.0.21-16
Microsoft cm1 golang 1.16.12-1
Microsoft cbl2 prometheus-process-exporter 0.7.10-19
Microsoft cbl2 nmi 1.8.11-2
Microsoft cbl2 rook 1.6.2-19
Microsoft cri-o-1.21.7-2.cm2.x86_64.rpm
Microsoft cbl2 cri-o 1.21.7-2
Microsoft node-problem-detector-0.8.15-1.azl3.aarch64.rpm
Microsoft multus-k8s-yaml-4.0.2-1.azl3.aarch64.rpm
Microsoft node-problem-detector-config-0.8.15-1.azl3.aarch64.rpm
Microsoft keda-2.14.0-1.azl3.aarch64.rpm
Microsoft node-problem-detector-config-0.8.15-1.azl3.x86_64.rpm
Microsoft multus-debuginfo-4.0.2-1.azl3.aarch64.rpm
Microsoft multus-4.0.2-1.azl3.aarch64.rpm
Microsoft moby-engine-25.0.3-2.azl3.aarch64.rpm
Microsoft multus-debuginfo-4.0.2-1.azl3.x86_64.rpm
Microsoft multus-k8s-yaml-4.0.2-1.azl3.x86_64.rpm
Microsoft csi-driver-lvm-0.4.1-15.cm2.aarch64.rpm
Microsoft multus-4.0.2-1.azl3.x86_64.rpm
Microsoft cri-o-kubeadm-criconfig-1.21.7-2.cm2.aarch64.rpm
Microsoft csi-driver-lvm-lvmplugin-0.4.1-15.cm2.aarch64.rpm
Microsoft csi-driver-lvm-csi-lvmplugin-provisioner-0.4.1-15.cm2.aarch64.rpm
Microsoft node-problem-detector-0.8.15-1.azl3.x86_64.rpm
Microsoft application-gateway-kubernetes-ingress-1.4.0-19.cm2.aarch64.rpm
Microsoft csi-driver-lvm-debuginfo-0.4.1-15.cm2.x86_64.rpm
Microsoft cf-cli-8.4.0-16.cm2.aarch64.rpm
Microsoft csi-driver-lvm-csi-lvmplugin-provisioner-0.4.1-15.cm2.x86_64.rpm
Microsoft cri-o-kubeadm-criconfig-1.21.7-2.cm2.x86_64.rpm
Microsoft golang-1.16.12-1.cm1.aarch64.rpm
Microsoft moby-engine-25.0.3-2.azl3.x86_64.rpm
Microsoft csi-driver-lvm-0.4.1-15.cm2.x86_64.rpm
Microsoft application-gateway-kubernetes-ingress-1.4.0-19.cm2.x86_64.rpm
Microsoft keda-2.14.0-1.azl3.x86_64.rpm
Microsoft csi-driver-lvm-lvmplugin-0.4.1-15.cm2.x86_64.rpm
Microsoft cf-cli-8.4.0-16.cm2.x86_64.rpm
Microsoft cri-o-1.21.7-2.cm2.aarch64.rpm
Microsoft golang-1.16.12-1.cm1.x86_64.rpm
Microsoft csi-driver-lvm-debuginfo-0.4.1-15.cm2.aarch64.rpm
Remediation
Patch Available
Information
This flaw can be mitigated by disabling HTTP/2. Setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.
Event History
Dec 9, 2021
CVE Published
12:00 AM
Data Sourced
via Red Hat·06:36 PM
DescriptionSeverityAffected Software
Jan 1, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Jan 13, 2022
Data Sourced
via Microsoft·12:00 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·12:00 AM
Affected Software
Updated
via Microsoft·08:00 AM
DescriptionSeverityWeakness
Updated
via Microsoft·08:00 AM
SeverityAffected Software
Updated
via Microsoft·08:00 AM
Affected Software
Aug 15, 2025
Data Sourced
via IBM·03:29 PM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
- RHSA-2022:0163
- RHSA-2022:1051
- RHSA-2022:1056
- RHSA-2022:0855
- RHSA-2021:5176
- RHSA-2021:5160
- RHSA-2022:0001
- RHSA-2022:0002
- RHSA-2022:1628
- RHSA-2022:1734
- RHSA-2022:0055
- RHSA-2022:0056
- RHSA-2022:0927
- RHSA-2022:0557
- RHSA-2022:1361
- RHSA-2022:1372
- RHSA-2022:0260
- RHSA-2022:0237
- RHSA-2022:0842
- RHSA-2023:0407
- RHSA-2022:0947
- RHSA-2022:6526
- RHSA-2023:0408
- RHEA-2022:1596
- RHSA-2022:0587
- RHSA-2022:0585
- IBM-7183851
Frequently Asked Questions
1
What is CVE-2021-44716?
CVE-2021-44716 is a vulnerability in the net/http library in Go before 1.16.12 and 1.17.x before 1.17.5.
2
What is the severity of CVE-2021-44716?
CVE-2021-44716 has a severity score of 7.5 (high).
3
How can I exploit CVE-2021-44716?
CVE-2021-44716 can be exploited by submitting specially crafted requests to applications linked with net/http's http2 functionality.
4
How can I fix CVE-2021-44716?
To fix CVE-2021-44716, update your Go installation to version 1.16.12 or 1.17.5, depending on the version you are using.
5
Where can I find more information about CVE-2021-44716?
You can find more information about CVE-2021-44716 in the references provided: [link 1](https://github.com/golang/go/issues/50058), [link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2030802), [link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2030804).