Unbounded Memory Consumption in WebTransport Implementation by quic-go
CVE-2026-21438

5.3MEDIUM

Key Information:

Vendor: Quic-go
Status: Webtransport-go
Vendor: CVE Published:; 12 February 2026

What is CVE-2026-21438?

The webtransport-go library, an implementation of the WebTransport protocol, suffers from a vulnerability that allows an attacker to induce unbounded memory consumption. This occurs when a large number of WebTransport streams are created and closed repeatedly. Due to an oversight in session management, the closed streams remain in an internal session map, which prevents their resources from being garbage collected. This leads to the potential exhaustion of system memory, adversely affecting application performance and stability. The issue has been addressed in version 0.10.0, which includes necessary fixes.

Affected Version(s)

webtransport-go < 0.10.0

References

https://github.com/quic-go/webtransport-go/security/advis...

x_refsource_CONFIRM

https://github.com/quic-go/webtransport-go/releases/tag/v...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2026
Vulnerability Reserved
Dec 29, 2025

CVE-2026-21438 Data

JSON

Quic-go

What is CVE-2026-21438?

Affected Version(s)

References

CVSS V3.1

Timeline