Executive Summary

CVE-2026-21438 is a memory exhaustion vulnerability in the webtransport-go package (versions up to v0.9.0). The problem occurs because the internal session map that tracks WebTransport streams does not remove entries for streams after they are closed. This causes closed streams to remain indefinitely in memory, preventing garbage collection of their resources.

An attacker can exploit this by repeatedly creating and closing many WebTransport streams, which causes unbounded memory consumption as the memory used by closed streams accumulates.

This vulnerability was fixed in version v0.10.0 by changing the internal session map to remove closed streams, allowing their resources to be properly freed.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unbounded memory consumption on systems running vulnerable versions of webtransport-go. An attacker can cause a denial of service by exhausting memory resources through repeated creation and closure of WebTransport streams.

The impact is on availability, as the system may become slow, unresponsive, or crash due to memory exhaustion. There is no impact on confidentiality or integrity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unbounded memory consumption caused by the internal session map retaining closed WebTransport streams, leading to memory exhaustion.'}, {'type': 'paragraph', 'content': 'Detection can focus on monitoring memory usage patterns of the webtransport-go service, looking for unusually high or steadily increasing memory consumption without corresponding active streams.'}, {'type': 'paragraph', 'content': 'Since the attack vector is network-based and involves repeatedly creating and closing many WebTransport streams, network traffic analysis tools could be used to detect abnormal patterns of stream creation and closure.'}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general approaches include:'}, {'type': 'list_item', 'content': "Using system monitoring tools like 'top', 'htop', or 'ps' to observe memory usage of the webtransport-go process."}, {'type': 'list_item', 'content': "Using network monitoring tools such as 'tcpdump' or 'wireshark' to capture and analyze WebTransport stream creation and closure patterns."}, {'type': 'list_item', 'content': 'Checking application logs for unusually high numbers of stream open/close events.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade webtransport-go to version v0.10.0 or later, where the vulnerability is fixed by removing closed streams from the internal session map to allow garbage collection.

Until the upgrade can be applied, consider limiting the number of WebTransport streams that can be created and closed in a short period to reduce the risk of memory exhaustion.

Monitoring memory usage and setting alerts for abnormal increases can help detect exploitation attempts early.

Useful 0 Not Useful 0