webtransport-go affected by a Memory Exhaustion Attack due to Missing...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

Basic Information

ID CVE-2026-21438

Source GitHub_M

Published Feb 12, 2026 at 18:25

Affected Product

Vendor quic-go

Product webtransport-go

Version < 0.10.0

Affected Versions quic-go webtransport-go < 0.10.0

CWE Classification

CWE-401 CWE-459

References

{
    "lastseen": "",
    "description": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.",
    "published": "2026-02-12T18:25:34.107Z",
    "modified": "2026-02-12T18:25:34.107Z",
    "type": "cve",
    "title": "webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map",
    "source": "GitHub_M",
    "references": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc\nhttps://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
    "id": "CVE-2026-21438",
    "bulletinFamily": "",
    "cwe": [
        "CWE-401",
        "CWE-459"
    ],
    "cvelist": null,
    "sourceData": "quic-go webtransport-go < 0.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "webtransport-go",
    "version": "< 0.10.0",
    "vendor": "quic-go",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map_CVE-2026-21438