CVE-2026-21438 | THREATINT

Description

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

PUBLISHED Reserved 2025-12-29 | Published 2026-02-12 | Updated 2026-02-17 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-401: Missing Release of Memory after Effective Lifetime

CWE-459: Incomplete Cleanup

Product status

< 0.10.0

affected

References

github.com/...ort-go/security/advisories/GHSA-2f2x-8mwp-p2gc

github.com/quic-go/webtransport-go/releases/tag/v0.10.0

cve.org (CVE-2026-21438)

nvd.nist.gov (CVE-2026-21438)

Download JSON