[Medium] Patch etcd for CVE-2026-33814

[Ratiranjan5]

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

• The toolchain has been rebuilt successfully (or no changes were made to it)
• The toolchain/worker package manifests are up-to-date
• Any updated packages successfully build (or no packages were changed)
• Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
• Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
• All package sources are available
• cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
• LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
• All source files have up-to-date hashes in the *.signatures.json files
• sudo make go-tidy-all and sudo make go-test-coverage pass
• Documentation has been updated to match any changes to the build system
• Ready to merge

---

Summary

Patch etcd for CVE-2026-33814

• The package etcd is affected by this CVE as it vendors golang.org/x/net/http2, and the vendored version in our source is golang.org/x/net v0.51.0, which falls within the affected range from 0 before 0.53.0.
• The upstream patch has been backported manually.
• The patch matches with the upstream patch except the changes in test files are not included, as the corresponding test files are not present in our version of the source code.

Change Log

• new file: SPECS/etcd/CVE-2026-33814.patch
• modified: SPECS/etcd/etcd.spec

Does this affect the toolchain?

NO

Links to CVEs

• https://nvd.nist.gov/vuln/detail/CVE-2026-33814

Test Methodology

• Local build was successful.

• Patch applies cleanly.

• Check Installation:

• Check Uninstallation:

[mfrw]

LGTM ✅ — patch verified against upstream and the etcd build itself is green on both archs.

Patch verification: matches upstream golang/net 1e71bd8 — move the s.Valid() call from inside the SettingEnableConnectProtocol case to the top of the ForeachSetting callback. Path prefix (vendor/golang.org/x/net/http2/) and ±4-line offsets differ from upstream because etcd vendors a slightly older snapshot; the hunks themselves are byte-identical. Omitting the upstream http2/transport_test.go is correct since _test.go files aren't shipped in the vendored copy (as noted in the PR description).

Build / CI on buildId=1125645:

Stage	AMD64	ARM64
Toolchain	✅ succeeded	✅ succeeded
Toolchain_tests	✅ succeeded	✅ succeeded
Build packages (incl. etcd-3.5.30-2.azl3.{src,x86_64,aarch64}.rpm)	✅ succeeded	✅ succeeded
Verify all tests passed	❌ failed	❌ failed

The Verify all tests passed reds are unrelated to this change — I checked the failing test runs and none of them touch etcd or http2:

• AKS Testing (Mariner AKS Testing on ubuntu / on mariner-custom): Cluster Creation Failed in ~1300–1500s, Expected 3 ready nodes, found 2, Cluster Scale Up took 276s (threshold 270s). Azure-side cluster-provisioning flake / marginal timing.
• Package-Test: ~20–24 failures across unrelated packages (libxslt, binutils, nlohmann-json, perl, zchunk, systemd, ostree, nfs-utils, meson, qemu-kvm, c-ares, dnf, ansible, python-pip, python-cryptography, python-setuptools, softhsm, gd, …). Looks like broad CI infrastructure breakage on this run.

@Ratiranjan5 — could you re-trigger the failed stages? The etcd RPM itself builds and packages cleanly on both archs.

Signed-Off By: @mfrw

[mfrw]

Patch looks good w.r.t upstream.

The single vendor/golang.org/x/net/http2/transport.go hunk matches upstream golang/net 1e71bd8 — same move of the s.Valid() call from inside the SettingEnableConnectProtocol case to the top of the ForeachSetting callback. ✓

Omitting the upstream http2/transport_test.go hunk is fine — that file isn't shipped in the vendored snapshot.

[mfrw]

Release bump, Patch1 declaration and changelog entry look good.

Non-blocking observation: PATCH1 is applied to all 5 components (server, etcdctl, etcdutl, tools/etcd-dump-db, tools/etcd-dump-logs), whereas the existing PATCH0 (CVE-2026-29181) is only applied to the first three. The Build packages task succeeded on both archs so the tools' vendor tarballs do contain vendor/golang.org/x/net/http2/transport.go — this PR's broader coverage looks correct. Worth keeping in mind for any future re-issue of CVE-2026-29181.

[azurelinux-security]

🔒 CVE Patch Review: CVE-2026-33814

PR #17434 — [Medium] Patch etcd for CVE-2026-33814
Package: etcd | Branch: 3.0-dev

---

Spec File Validation

Check	Status	Detail
Release bump	✅	Release bumped 1 → 2
Patch entry	✅	Patch entries added: ['CVE-2026-33814.patch'] (covers ['CVE-2026-33814'])
Patch application	❌	No %autosetup/%autopatch or %patch N found — patches may not be applied in %prep
Changelog	✅	Changelog entry looks good
Signatures	✅	No source tarball changes — signatures N/A
Manifests	✅	Not a toolchain PR — manifests N/A

---

Build Verification

• Build status: ✅ PASSED
• Artifact downloaded: ✅
• CVE applied during build: ✅
• Warnings (8):
  • L144: time="2026-05-26T03:20:05Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-29181.patch"
  • L145: time="2026-05-26T03:20:05Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-33814.patch"
  • L153: time="2026-05-26T03:20:21Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-29181.patch"
  • L154: time="2026-05-26T03:20:21Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-33814.patch"
  • L162: time="2026-05-26T03:20:27Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-29181.patch"
  • L163: time="2026-05-26T03:20:27Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-33814.patch"
  • L172: time="2026-05-26T03:20:34Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-33814.patch"
  • L180: time="2026-05-26T03:20:38Z" level=debug msg="+ patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=/usr/src/azl/SOURCES/CVE-2026-33814.patch"

🤖 AI Build Log Analysis

• Risk: low
• Summary: The etcd 3.5.30-2.azl3 package built successfully with the CVE-2026-33814 patch applied. Sources were prepared, vendor tarballs unpacked, the CVE patches were applied to server, etcdctl, etcdutl, and tools components with strict fuzz=0, and all Go binaries were built and packaged without compilation or linker errors. The build produced the etcd, etcd-tools, and debuginfo RPMs. Tests were disabled (nocheck).
• AI-detected warnings:
  • rpmbuild warning: Macro expanded in comment (spec formatting warning)
  • rpmbuild warning: Could not canonicalize hostname (non-fatal environment issue)
  • debuginfo phase messages: /bin/debugedit: DWARF version 0 unhandled for several Go binaries (typical for Go-built artifacts and non-fatal)

---

🧪 Test Log Analysis

No test log found (package may not have a %check section).

---

Patch Analysis

• Match type: backport
• Risk assessment: low
• Summary: The PR applies the same functional change as the upstream fix by validating every HTTP/2 SETTINGS parameter in processSettingsNoWrite and removing the now-redundant per-case validation for SettingEnableConnectProtocol, thereby preventing hangs on invalid settings (e.g., MaxFrameSize=0). It targets the vendored x/net in etcd and omits only the upstream test addition, consistent with a packaging backport.
• Missing hunks:
  • Upstream added a new test (TestTransportDoNotHangOnZeroMaxFrameSize) in http2/transport_test.go; the PR does not include this test.

Detailed analysis

1. Core fix equivalence: Upstream changes http2/transport.go in clientConnReadLoop.processSettingsNoWrite to call s.Valid() for every setting within f.ForeachSetting, returning an error on invalid settings, and removes the specific validity check inside the SettingEnableConnectProtocol case. The PR applies exactly this logic: it inserts the early s.Valid() check and deletes the per-case validation for SettingEnableConnectProtocol. This is the functional essence of the CVE fix, preventing the client from hanging when receiving an invalid SETTINGS frame (e.g., MaxFrameSize=0).

2. Differences: The PR modifies vendor/golang.org/x/net/http2/transport.go (vendored in etcd) rather than http2/transport.go, and it does not include the upstream test additions. The code hunks (3 insertions, 3 deletions) match upstream semantics; only line offsets and file path differ due to vendoring and version differences.

3. Missing hunks justification: The upstream patch also adds a test to transport_test.go. Tests are typically not included in vendor patches within product packaging; their absence does not affect the runtime fix. No other upstream code changes are missing.

4. Completeness and regression risk: Applying s.Valid() uniformly means invalid settings are now rejected early, which resolves the hang and aligns with HTTP/2 spec compliance. This could cause earlier connection errors with misbehaving peers that previously slipped through, but that is intended and low risk for compliant servers. The removal of the per-case validation is safe because the new universal validation covers SettingEnableConnectProtocol as well. Context around the function matches sufficiently (minor line offset), indicating a clean backport.

Conclusion: The PR is a faithful backport of the upstream security fix to the vendored x/net/http2 code, with only the test hunk omitted.

Raw diff (upstream vs PR)

--- upstream
+++ pr
@@ -1,68 +1,48 @@
-From 1e71bd86e4a302b4e731bc06da6eb51679c7bd49 Mon Sep 17 00:00:00 2001
-From: "Nicholas S. Husin" <nsh@golang.org>
-Date: Tue, 31 Mar 2026 15:15:30 -0400
-Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
-
-This CL backports https://go.dev/cl/761581 to x/net.
-
-Fixes golang/go#78476
-Fixes CVE-2026-33814
-
-Change-Id: Ied435a51fdd8664d41dae14d082c39c76a6a6964
-Reviewed-on: https://go-review.googlesource.com/c/net/+/761640
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-Reviewed-by: Nicholas Husin <husin@google.com>
-Reviewed-by: Damien Neil <dneil@google.com>
----
- http2/transport.go      |  6 +++---
- http2/transport_test.go | 13 +++++++++++++
- 2 files changed, 16 insertions(+), 3 deletions(-)
-
-diff --git a/http2/transport.go b/http2/transport.go
-index 2e9c2f6a52..8132233310 100644
---- a/http2/transport.go
-+++ b/http2/transport.go
-@@ -2861,6 +2861,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
- 
- 	var seenMaxConcurrentStreams bool
- 	err := f.ForeachSetting(func(s Setting) error {
-+		if err := s.Valid(); err != nil {
-+			return err
-+		}
- 		switch s.ID {
- 		case SettingMaxFrameSize:
- 			cc.maxFrameSize = s.Val
-@@ -2892,9 +2895,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
- 			cc.henc.SetMaxDynamicTableSize(s.Val)
- 			cc.peerMaxHeaderTableSize = s.Val
- 		case SettingEnableConnectProtocol:
--			if err := s.Valid(); err != nil {
--				return err
--			}
- 			// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,
- 			// we require that it do so in the first SETTINGS frame.
- 			//
-diff --git a/http2/transport_test.go b/http2/transport_test.go
-index d948b881a3..9068375177 100644
---- a/http2/transport_test.go
-+++ b/http2/transport_test.go
-@@ -5677,6 +5677,19 @@ func testTransportTLSNextProtoConnImmediateFailureUnused(t testing.TB) {
- 	}
- }
- 
-+func TestTransportDoNotHangOnZeroMaxFrameSize(t *testing.T) {
-+	synctestTest(t, testTransportDoNotHangOnZeroMaxFrameSize)
-+}
-+func testTransportDoNotHangOnZeroMaxFrameSize(t testing.TB) {
-+	tc := newTestClientConn(t)
-+	tc.writeSettings(Setting{ID: SettingMaxFrameSize, Val: 0})
-+	tc.wantFrameType(FrameSettings)
+diff --git a/SPECS/etcd/CVE-2026-33814.patch b/SPECS/etcd/CVE-2026-33814.patch
+new file mode 100644
+index 00000000000..330ef2c75ca
+--- /dev/null
++++ b/SPECS/etcd/CVE-2026-33814.patch
+@@ -0,0 +1,42 @@
++From 7e9e82f8c3033974b16d93835521f6e133a7c9aa Mon Sep 17 00:00:00 2001
++From: AllSpark <allspark@microsoft.com>
++Date: Thu, 14 May 2026 09:00:37 +0000
++Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame
 +
-+	req, _ := http.NewRequest("POST", "https://dummy.tld/", strings.NewReader("body"))
-+	tc.roundTrip(req)
-+	// Previously, https://go.dev/issue/78476 caused an infinite hang here.
-+}
++This CL backports https://go.dev/cl/761581 to x/net.
 +
- func TestExtendedConnectClientWithServerSupport(t *testing.T) {
- 	SetDisableExtendedConnectProtocol(t, false)
- 	ts := newTestServer(t, func(w http.ResponseWriter, r *http.Request) {
++Fixes golang/go#78476
++Fixes CVE-2026-33814
++
++Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch
++---
++ vendor/golang.org/x/net/http2/transport.go | 6 +++---
++ 1 file changed, 3 insertions(+), 3 deletions(-)
++
++diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
++index 8cf64b7..3b514a3 100644
++--- a/vendor/golang.org/x/net/http2/transport.go
+++++ b/vendor/golang.org/x/net/http2/transport.go
++@@ -2865,6 +2865,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
++ 
++ 	var seenMaxConcurrentStreams bool
++ 	err := f.ForeachSetting(func(s Setting) error {
+++		if err := s.Valid(); err != nil {
+++			return err
+++		}
++ 		switch s.ID {
++ 		case SettingMaxFrameSize:
++ 			cc.maxFrameSize = s.Val
++@@ -2896,9 +2899,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error {
++ 			cc.henc.SetMaxDynamicTableSize(s.Val)
++ 			cc.peerMaxHeaderTableSize = s.Val
++ 		case SettingEnableConnectProtocol:
++-			if err := s.Valid(); err != nil {
++-				return err
++-			}
++ 			// If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL,
++ 			// we require that it do so in the first SETTINGS frame.
++ 			//
++-- 
++2.45.4
++

---

Verdict

❌ CHANGES REQUESTED — Please address the issues flagged above.