Description
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

webtransport-go implements the WebTransport protocol and contains a flaw that lets an attacker cause a denial of service by preventing or indefinitely delaying the closure of a WebTransport session. The attacker can hold back QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. The effect is a stuck connection that cannot be terminated normally.

Affected Systems

The vulnerability affects quic-go’s webtransport-go library. All versions prior to 0.10.0 are vulnerable; the fix is included in v0.10.0 and later releases.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of <1% signals a very low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. Attackers must control a malicious peer capable of withholding QUIC flow control credit on the CONNECT stream; successful exploitation results in a session that remains open indefinitely, leading to a denial of service for the affected application.

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade webtransport-go to version 0.10.0 or later.
  • If an upgrade is not immediately possible, monitor sessions for failed closure and enforce a timeout or reset connections after a defined period.
  • Validate peer behavior and consider rejecting connections that exhibit abnormal flow control handling.

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-px4r-g4p3-hhqv webtransport-go: CloseWithError can block indefinitely
History

Thu, 19 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Quic-go
Quic-go webtransport-go
Vendors & Products Quic-go
Quic-go webtransport-go

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
Title webtransport-go CloseWithError can block indefinitely
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Quic-go Webtransport-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-17T15:36:08.731Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21435

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:05.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T19:15:51.503

Modified: 2026-02-19T22:51:49.417

Link: CVE-2026-21435

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses