Description
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion (DoS)
Action: Patch
AI Analysis

Impact

webtransport-go, a WebTransport protocol implementation, lacked a mandated 1024‑byte limit for the Application Error Message field in the WT_CLOSE_SESSION capsule. This reflects a CWE‑770 weakness, illustrating resource exhaustion vulnerability. An attacker can send a capsule with an arbitrarily large error message that the implementation reads and stores entirely in memory, allowing the attacker to consume an arbitrary amount of memory on the target. The vulnerability can be leveraged to cause a denial‑of‑service by exhausting memory resources, with the severity classified as moderate (CVSS 5.3).

Affected Systems

The flaw exists in quic-go's webtransport-go library versions 0.3.0 through 0.9.0. The issue was resolved in release 0.10.0. Administrators using any earlier version of the library should be aware that this vulnerability can be triggered by a malicious peer sending a specially crafted WT_CLOSE_SESSION capsule.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the EPSS is listed as less than 1 %, implying a very low likelihood of widespread exploitation. The vulnerability is not currently listed in the CISA KEV catalog. An attacker must send the full payload to trigger the memory allocation, but the lack of an upper bound makes large‑scale attacks feasible if sufficient bandwidth is available. The likely attack vector is inferred from the description as a remote peer connecting over the WebTransport protocol to the vulnerable service.

Generated by OpenCVE AI on April 18, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the webtransport-go library to version 0.10.0 or later, which enforces the 1024‑byte limit on the error message field.
  • If an immediate upgrade is not possible, implement network‑level controls such as rate limiting or traffic shaping to restrict the rate of incoming WT_CLOSE_SESSION capsules and limit the size of messages accepted.
  • Continuously monitor memory usage of services running webtransport-go and set alerts for abnormal memory consumption so that any attempts to exhaust resources can be detected early.

Generated by OpenCVE AI on April 18, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g6x7-jq8p-6q9q webtransport-go: Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
History

Thu, 19 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Quic-go
Quic-go webtransport-go
Vendors & Products Quic-go
Quic-go webtransport-go

Thu, 12 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
Title webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Quic-go Webtransport-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T18:45:58.158Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21434

cve-icon Vulnrichment

Updated: 2026-02-12T18:45:53.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T19:15:51.333

Modified: 2026-02-19T22:53:24.643

Link: CVE-2026-21434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses