Description
webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.
Published: 2026-02-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion (Denial of Service)
Action: Immediate Patch
AI Analysis

Impact

webtransport-go implements the WebTransport protocol. Before version 0.10.0, a flaw allows an attacker to repeatedly open and close streams, which remain in an internal map; the closed streams are not cleaned up so garbage collection does not reclaim their memory. This results in unbounded memory growth and can exhaust the server’s heap, leading to service disruption. The weakness is an instance of improper resource management (CWE‑401) and missing cleanup of data structures (CWE‑459).

Affected Systems

The affected product is the quic-go webtransport-go library. Any deployment using versions prior to 0.10.0 is vulnerable. Releases up to and including 0.9.x have not applied the fix.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity and the EPSS score of less than 1% indicates a low but nonzero chance of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by making repeated WebTransport stream requests over the network; no special privileges or insider access are required. The combined risk is moderate but the impact—total memory exhaustion—can bring the service entirely to a halt. Monitoring and mitigation are recommended.

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to webtransport-go v0.10.0 or later to apply the official fix
  • If upgrading is not immediately possible, implement a limit on the number of streams per session to reduce potential memory growth
  • Monitor application memory usage and trigger alerts if consumption exceeds expected thresholds

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2f2x-8mwp-p2gc webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map
History

Thu, 19 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Quic-go
Quic-go webtransport-go
Vendors & Products Quic-go
Quic-go webtransport-go

Thu, 12 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.
Title webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map
Weaknesses CWE-401
CWE-459
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Quic-go Webtransport-go
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-17T15:39:06.672Z

Reserved: 2025-12-29T03:00:29.275Z

Link: CVE-2026-21438

cve-icon Vulnrichment

Updated: 2026-02-17T15:39:03.242Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T19:15:51.677

Modified: 2026-02-19T22:50:30.217

Link: CVE-2026-21438

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses