CVE-2026-21434 (GCVE-0-2026-21434)
Vulnerability from cvelistv5 – Published: 2026-02-12 18:18 – Updated: 2026-02-12 18:45
VLAI
Title
webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
Summary
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/quic-go/webtransport-go/securi… | x_refsource_CONFIRM |
| https://github.com/quic-go/webtransport-go/releas… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| quic-go | webtransport-go |
Affected:
< 0.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21434",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-12T18:45:50.348094Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T18:45:58.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "webtransport-go",
"vendor": "quic-go",
"versions": [
{
"status": "affected",
"version": "\u003c 0.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go\u0027s session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T18:18:04.821Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q"
},
{
"name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"
}
],
"source": {
"advisory": "GHSA-g6x7-jq8p-6q9q",
"discovery": "UNKNOWN"
},
"title": "webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21434",
"datePublished": "2026-02-12T18:18:04.821Z",
"dateReserved": "2025-12-29T03:00:29.275Z",
"dateUpdated": "2026-02-12T18:45:58.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-21434",
"date": "2026-06-29",
"epss": "0.00413",
"percentile": "0.33046"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-21434\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-12T19:15:51.333\",\"lastModified\":\"2026-06-17T10:18:39.907\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go\u0027s session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.\"},{\"lang\":\"es\",\"value\":\"webtransport-go es una implementaci\u00f3n del protocolo WebTransport. Desde 0.3.0 hasta 0.9.0, un atacante puede causar un consumo excesivo de memoria en la implementaci\u00f3n de sesi\u00f3n de webtransport-go al enviar una c\u00e1psula WT_CLOSE_SESSION que contiene un Mensaje de Error de Aplicaci\u00f3n excesivamente grande. La implementaci\u00f3n no aplica el l\u00edmite de 1024 bytes exigido por el borrador en este campo, lo que permite a un par enviar una carga \u00fatil de mensaje arbitrariamente grande que se lee y almacena completamente en memoria. Esto permite a un atacante consumir una cantidad arbitraria de memoria. El atacante debe transmitir la carga \u00fatil completa para lograr el consumo de memoria, pero la falta de cualquier l\u00edmite superior hace que los ataques a gran escala sean factibles dado un ancho de banda suficiente. Esta vulnerabilidad est\u00e1 corregida en 0.10.0.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"quic-go\",\"product\":\"webtransport-go\",\"versions\":[{\"version\":\"\u003c 0.10.0\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-02-12T18:45:50.348094Z\",\"id\":\"CVE-2026-21434\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"0.3.0\",\"versionEndExcluding\":\"0.10.0\",\"matchCriteriaId\":\"655FC296-1611-47D3-A71F-E5C093D2F463\"}]}]}],\"references\":[{\"url\":\"https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21434\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-12T18:45:50.348094Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-12T18:45:53.125Z\"}}], \"cna\": {\"title\": \"webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule\", \"source\": {\"advisory\": \"GHSA-g6x7-jq8p-6q9q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"quic-go\", \"product\": \"webtransport-go\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.10.0\"}]}], \"references\": [{\"url\": \"https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q\", \"name\": \"https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0\", \"name\": \"https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go\u0027s session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-12T18:18:04.821Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-21434\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-12T18:45:58.158Z\", \"dateReserved\": \"2025-12-29T03:00:29.275Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-12T18:18:04.821Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…