diff --git a/backport-0037-net-http-raise-an-error-when-a-http2-header-frame-is.patch b/backport-0037-net-http-raise-an-error-when-a-http2-header-frame-is.patch
new file mode 100644
index 0000000000000000000000000000000000000000..75eb1330d8dd77f97c13362e8b2355258286d429
--- /dev/null
+++ b/backport-0037-net-http-raise-an-error-when-a-http2-header-frame-is.patch
@@ -0,0 +1,43 @@
+From 987589dc7dbfe5967f3cddf81dd298e91fd3c85b Mon Sep 17 00:00:00 2001
+From: Jonathan KUMA <jonathan.kuma@gmail.com>
+Date: Thu, 6 Nov 2025 14:51:41 +0100
+Subject: [PATCH] net-http raise an error when a http2 header frame is
+ malformed
+
+Fixes #31986
+---
+ src/net/http/h2_bundle.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/net/http/h2_bundle.go b/src/net/http/h2_bundle.go
+index 5ad0c28..5356eef 100644
+--- a/src/net/http/h2_bundle.go
++++ b/src/net/http/h2_bundle.go
+@@ -1875,6 +1875,10 @@ func (fr *http2Framer) ErrorDetail() error {
+ // sends a frame that is larger than declared with SetMaxReadFrameSize.
+ var http2ErrFrameTooLarge = errors.New("http2: frame too large")
+ 
++// ErrFrameHeadersMalformed is returned from Framer.ReadFrame when the
++// peer sends a http2FrameHeaders frame with a malformed header block.
++var http2ErrFrameHeadersMalformed = errors.New("http2: malformed header frame")
++
+ // terminalReadFrameError reports whether err is an unrecoverable
+ // error from ReadFrame and no other frames should be read.
+ func http2terminalReadFrameError(err error) bool {
+@@ -1924,7 +1928,12 @@ func (fr *http2Framer) ReadFrame() (http2Frame, error) {
+ 		fr.debugReadLoggerf("http2: Framer %p: read %v", fr, http2summarizeFrame(f))
+ 	}
+ 	if fh.Type == http2FrameHeaders && fr.ReadMetaHeaders != nil {
+-		return fr.readMetaFrame(f.(*http2HeadersFrame))
++		hf, ok := f.(*http2HeadersFrame)
++		if !ok {
++			return nil, http2ErrFrameHeadersMalformed
++		}
++
++		return fr.readMetaFrame(hf)
+ 	}
+ 	return f, nil
+ }
+-- 
+2.33.0
+
diff --git a/golang.spec b/golang.spec
index aa468c148cce084cc0ccf8737d277a9fabd28171..9c69061602a6a3234d6e9ee2807add6d6203f080 100644
--- a/golang.spec
+++ b/golang.spec
@@ -66,7 +66,7 @@
 
 Name:           golang
 Version:        1.21.4
-Release:        37
+Release:        38
 Summary:        The Go Programming Language
 License:        BSD and Public Domain
 URL:            https://golang.org/
@@ -156,6 +156,7 @@ Patch6033:	backport-0033-CVE-2025-47907-database-sql-avoid-closing-Rows-while-sc
 Patch6034:	backport-0034-CVE-2025-47906-os-exec-fix-incorrect-expansion-of-.-and-.-in-LookPa.patch
 Patch6035:	backport-0035-CVE-2025-4674-disable-support-for-multiple-vcs-in-one-module.patch
 Patch6036:  backport-0036-CVE-2025-22871-net-http-reject-newlines-in-.patch
+Patch6037:      backport-0037-net-http-raise-an-error-when-a-http2-header-frame-is.patch
 
 # Part 8001 ~ 8999
 # Developed optimization features
@@ -401,6 +402,12 @@ fi
 %files devel -f go-tests.list -f go-misc.list -f go-src.list
 
 %changelog
+* Wed Nov 12 2025 lijian <lijian01@kylinos.cn> - 1.21.4-38
+- Type:bugfix
+- bug:76199
+- SUG:NA
+- DESC: net/http: raise an error when a http2 header frame is malformed
+
 * Mon Sep 15 2025 songliyang <songliyang@kylinos.cn> - 1.21.4-37
 - Type:CVE
 - CVE:CVE-2025-22871