Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

webtransport-go

Source -

CNA

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
3Vulnerabilities found
CVE-2026-21438
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Feb, 2026 | 18:25
Updated-12 Feb, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

Action-Not Available
Vendor-quic-go
Product-webtransport-go
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CWE ID-CWE-459
Incomplete Cleanup
CVE-2026-21435
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Feb, 2026 | 18:22
Updated-12 Feb, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
webtransport-go CloseWithError can block indefinitely

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.

Action-Not Available
Vendor-quic-go
Product-webtransport-go
CWE ID-CWE-400
Uncontrolled Resource Consumption
CVE-2026-21434
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-12 Feb, 2026 | 18:18
Updated-12 Feb, 2026 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule

webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.

Action-Not Available
Vendor-quic-go
Product-webtransport-go
CWE ID-CWE-770
Allocation of Resources Without Limits or Throttling