Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for webtransport-go by quic-go

    CVE-2026-21438 (GCVE-0-2026-21438)

    Vulnerability from nvd – Published: 2026-02-12 18:25 – Updated: 2026-02-17 15:39
    VLAI
    Title
    webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map
    Summary
    webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    • CWE-459 - Incomplete Cleanup
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21438",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:38:58.113284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:39:06.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-459",
                  "description": "CWE-459: Incomplete Cleanup",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:25:34.107Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2f2x-8mwp-p2gc",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21438",
        "datePublished": "2026-02-12T18:25:34.107Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-17T15:39:06.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21435 (GCVE-0-2026-21435)

    Vulnerability from nvd – Published: 2026-02-12 18:22 – Updated: 2026-02-17 15:36
    VLAI
    Title
    webtransport-go CloseWithError can block indefinitely
    Summary
    webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:35:59.809407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:36:08.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:24:49.233Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-px4r-g4p3-hhqv",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go CloseWithError can block indefinitely"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21435",
        "datePublished": "2026-02-12T18:22:58.098Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-17T15:36:08.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21434 (GCVE-0-2026-21434)

    Vulnerability from nvd – Published: 2026-02-12 18:18 – Updated: 2026-02-12 18:45
    VLAI
    Title
    webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
    Summary
    webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21434",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T18:45:50.348094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T18:45:58.158Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go\u0027s session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:18:04.821Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-g6x7-jq8p-6q9q",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21434",
        "datePublished": "2026-02-12T18:18:04.821Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-12T18:45:58.158Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21438 (GCVE-0-2026-21438)

    Vulnerability from cvelistv5 – Published: 2026-02-12 18:25 – Updated: 2026-02-17 15:39
    VLAI
    Title
    webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map
    Summary
    webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing Release of Memory after Effective Lifetime
    • CWE-459 - Incomplete Cleanup
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21438",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:38:58.113284Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:39:06.672Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-459",
                  "description": "CWE-459: Incomplete Cleanup",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:25:34.107Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2f2x-8mwp-p2gc",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21438",
        "datePublished": "2026-02-12T18:25:34.107Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-17T15:39:06.672Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21435 (GCVE-0-2026-21435)

    Vulnerability from cvelistv5 – Published: 2026-02-12 18:22 – Updated: 2026-02-17 15:36
    VLAI
    Title
    webtransport-go CloseWithError can block indefinitely
    Summary
    webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21435",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-17T15:35:59.809407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-17T15:36:08.731Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:24:49.233Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-px4r-g4p3-hhqv",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go CloseWithError can block indefinitely"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21435",
        "datePublished": "2026-02-12T18:22:58.098Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-17T15:36:08.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21434 (GCVE-0-2026-21434)

    Vulnerability from cvelistv5 – Published: 2026-02-12 18:18 – Updated: 2026-02-12 18:45
    VLAI
    Title
    webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
    Summary
    webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    quic-go webtransport-go Affected: < 0.10.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21434",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-12T18:45:50.348094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-12T18:45:58.158Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "webtransport-go",
              "vendor": "quic-go",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.10.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go\u0027s session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-12T18:18:04.821Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q"
            },
            {
              "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
            }
          ],
          "source": {
            "advisory": "GHSA-g6x7-jq8p-6q9q",
            "discovery": "UNKNOWN"
          },
          "title": "webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-21434",
        "datePublished": "2026-02-12T18:18:04.821Z",
        "dateReserved": "2025-12-29T03:00:29.275Z",
        "dateUpdated": "2026-02-12T18:45:58.158Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }