CVE-2026-21434

webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0	Product Release Notes
https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*

History

19 Feb 2026, 22:53

Type	Values Removed	Values Added
References	~~() https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0 -~~	() https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0 - Product, Release Notes
References	~~() https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q -~~	() https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q - Vendor Advisory
CPE		cpe:2.3:a:quic-go:webtransport-go::::::go::*
First Time		Quic-go Quic-go webtransport-go

12 Feb 2026, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-12 19:15

Updated : 2026-02-19 22:53

NVD link : CVE-2026-21434

Mitre link : CVE-2026-21434

CVE.ORG link : CVE-2026-21434

JSON object : View

Products Affected

quic-go

webtransport-go

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2026-21434", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-12T19:15:51.333", "references": [{"url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0."}], "lastModified": "2026-02-19T22:53:24.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "655FC296-1611-47D3-A71F-E5C093D2F463", "versionEndExcluding": "0.10.0", "versionStartIncluding": "0.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}