CVE-2026-21434
Awaiting Analysis Awaiting Analysis - Queue
Memory Exhaustion in webtransport-go Session via Oversized WT_CLOSE_SESSION Payload

Publication date: 2026-02-12

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21434
EUVD
EUVD-2026-6715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
quic-go webtransport-go From 0.3.0 (inc) to 0.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the webtransport-go package versions 0.3.0 through 0.9.0. It occurs because the implementation does not enforce a size limit on the Application Error Message field within the WT_CLOSE_SESSION capsule of the WebTransport protocol.

An attacker can send a WT_CLOSE_SESSION capsule containing an arbitrarily large Application Error Message payload. Since the implementation reads and stores the entire payload without any upper bound, this can cause excessive memory consumption on the recipient side.

This leads to a memory exhaustion attack, where the attacker consumes an arbitrary amount of memory by transmitting a large payload. The vulnerability was fixed in version 0.10.0 by limiting the Application Error Message size to 1024 bytes.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause excessive memory consumption on systems running vulnerable versions of webtransport-go.

The attack can lead to resource exhaustion, potentially degrading system availability or causing denial of service conditions.

However, it does not affect confidentiality or integrity, and requires no privileges or user interaction to exploit.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves an attacker sending a WT_CLOSE_SESSION capsule with an excessively large Application Error Message payload to a webtransport-go implementation (versions 0.3.0 to 0.9.0). Detection would involve monitoring network traffic for unusually large WT_CLOSE_SESSION capsules or abnormal memory usage patterns in the webtransport-go process.

Since the vulnerability is related to the size of the Application Error Message in WT_CLOSE_SESSION capsules, you can detect potential exploitation attempts by capturing and inspecting HTTP/3 traffic for WT_CLOSE_SESSION frames with payloads exceeding the expected 1024 byte limit.

Suggested commands might include using packet capture tools like tcpdump or Wireshark to filter HTTP/3 traffic and analyze WT_CLOSE_SESSION capsules, for example:

  • Use tcpdump to capture traffic on the relevant interface and port: tcpdump -i <interface> port <http3-port> -w capture.pcap
  • Open the capture in Wireshark and filter for WebTransport WT_CLOSE_SESSION frames, then check the size of the Application Error Message field.

Additionally, monitoring the memory usage of the webtransport-go process for unexpected spikes could help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade webtransport-go to version 0.10.0 or later, where the vulnerability is fixed by enforcing a maximum length of 1024 bytes on the Application Error Message in WT_CLOSE_SESSION capsules.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or filtering to block or limit WT_CLOSE_SESSION capsules with unusually large payloads.

Monitoring and alerting on abnormal memory usage in the webtransport-go service can also help detect and respond to exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart