CVE-2026-21434
Memory Exhaustion in webtransport-go Session via Oversized WT_CLOSE_SESSION Payload
Publication date: 2026-02-12
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quic-go | webtransport-go | From 0.3.0 (inc) to 0.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the webtransport-go package versions 0.3.0 through 0.9.0. It occurs because the implementation does not enforce a size limit on the Application Error Message field within the WT_CLOSE_SESSION capsule of the WebTransport protocol.
An attacker can send a WT_CLOSE_SESSION capsule containing an arbitrarily large Application Error Message payload. Since the implementation reads and stores the entire payload without any upper bound, this can cause excessive memory consumption on the recipient side.
This leads to a memory exhaustion attack, where the attacker consumes an arbitrary amount of memory by transmitting a large payload. The vulnerability was fixed in version 0.10.0 by limiting the Application Error Message size to 1024 bytes.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause excessive memory consumption on systems running vulnerable versions of webtransport-go.
The attack can lead to resource exhaustion, potentially degrading system availability or causing denial of service conditions.
However, it does not affect confidentiality or integrity, and requires no privileges or user interaction to exploit.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker sending a WT_CLOSE_SESSION capsule with an excessively large Application Error Message payload to a webtransport-go implementation (versions 0.3.0 to 0.9.0). Detection would involve monitoring network traffic for unusually large WT_CLOSE_SESSION capsules or abnormal memory usage patterns in the webtransport-go process.
Since the vulnerability is related to the size of the Application Error Message in WT_CLOSE_SESSION capsules, you can detect potential exploitation attempts by capturing and inspecting HTTP/3 traffic for WT_CLOSE_SESSION frames with payloads exceeding the expected 1024 byte limit.
Suggested commands might include using packet capture tools like tcpdump or Wireshark to filter HTTP/3 traffic and analyze WT_CLOSE_SESSION capsules, for example:
- Use tcpdump to capture traffic on the relevant interface and port: tcpdump -i <interface> port <http3-port> -w capture.pcap
- Open the capture in Wireshark and filter for WebTransport WT_CLOSE_SESSION frames, then check the size of the Application Error Message field.
Additionally, monitoring the memory usage of the webtransport-go process for unexpected spikes could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade webtransport-go to version 0.10.0 or later, where the vulnerability is fixed by enforcing a maximum length of 1024 bytes on the Application Error Message in WT_CLOSE_SESSION capsules.
If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or filtering to block or limit WT_CLOSE_SESSION capsules with unusually large payloads.
Monitoring and alerting on abnormal memory usage in the webtransport-go service can also help detect and respond to exploitation attempts.