CVE-2026-21438

MEDIUM

Quic-go Webtransport-go < 0.10.0 - Memory Leak

Title source: rule

Description

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

References (2)

[Vendor Advisory] https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc

[Release Notes] https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-459 CWE-401

Status published

Products (2)

quic-go/webtransport-go < 0.10.0

quic-go/webtransport-go 0 - 0.10.0Go

Published Feb 12, 2026

Tracked Since Feb 18, 2026