Memory Consumption Vulnerability in webtransport-go by quic-go
CVE-2026-21434

5.3MEDIUM

Key Information:

Vendor: Quic-go
Status: Webtransport-go
Vendor: CVE Published:; 12 February 2026

What is CVE-2026-21434?

The webtransport-go implementation of the WebTransport protocol suffers from a vulnerability that allows an attacker to exploit the session implementation by sending a WT_CLOSE_SESSION capsule with an excessively large Application Error Message. This oversight results from the lack of enforcement on the draft-mandated limit of 1024 bytes for this field, enabling an attacker to send arbitrarily large message payloads. Consequently, this can lead to excessive memory consumption as the implementation reads and stores the full payload in memory. The exploit allows for potential large-scale attacks if the attacker has sufficient bandwidth. Users are encouraged to update to version 0.10.0 or later to mitigate this risk.

Affected Version(s)

webtransport-go < 0.10.0

References

https://github.com/quic-go/webtransport-go/security/advis...

x_refsource_CONFIRM

https://github.com/quic-go/webtransport-go/releases/tag/v...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2026-21434 Data

JSON

Quic-go

What is CVE-2026-21434?

Affected Version(s)

References

CVSS V3.1

Timeline