CVE-2026-21438
Unbounded Memory Consumption in webtransport-go WebTransport Streams
Publication date: 2026-02-12
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quic-go | webtransport-go | to 0.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
| CWE-459 | The product does not properly "clean up" and remove temporary or supporting resources after they have been used. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21438 is a memory exhaustion vulnerability in the webtransport-go package (versions up to v0.9.0). The problem occurs because the internal session map that tracks WebTransport streams does not remove entries for streams after they are closed. This causes closed streams to remain indefinitely in memory, preventing garbage collection of their resources.
An attacker can exploit this by repeatedly creating and closing many WebTransport streams, which causes unbounded memory consumption as the memory used by closed streams accumulates.
This vulnerability was fixed in version v0.10.0 by changing the internal session map to remove closed streams, allowing their resources to be properly freed.
How can this vulnerability impact me? :
This vulnerability can lead to unbounded memory consumption on systems running vulnerable versions of webtransport-go. An attacker can cause a denial of service by exhausting memory resources through repeated creation and closure of WebTransport streams.
The impact is on availability, as the system may become slow, unresponsive, or crash due to memory exhaustion. There is no impact on confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves unbounded memory consumption caused by the internal session map retaining closed WebTransport streams, leading to memory exhaustion.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring memory usage patterns of the webtransport-go service, looking for unusually high or steadily increasing memory consumption without corresponding active streams.'}, {'type': 'paragraph', 'content': 'Since the attack vector is network-based and involves repeatedly creating and closing many WebTransport streams, network traffic analysis tools could be used to detect abnormal patterns of stream creation and closure.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': "Using system monitoring tools like 'top', 'htop', or 'ps' to observe memory usage of the webtransport-go process."}, {'type': 'list_item', 'content': "Using network monitoring tools such as 'tcpdump' or 'wireshark' to capture and analyze WebTransport stream creation and closure patterns."}, {'type': 'list_item', 'content': 'Checking application logs for unusually high numbers of stream open/close events.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade webtransport-go to version v0.10.0 or later, where the vulnerability is fixed by removing closed streams from the internal session map to allow garbage collection.
Until the upgrade can be applied, consider limiting the number of WebTransport streams that can be created and closed in a short period to reduce the risk of memory exhaustion.
Monitoring memory usage and setting alerts for abnormal increases can help detect exploitation attempts early.