{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21438", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T03:00:29.275Z", "datePublished": "2026-02-12T18:25:34.107Z", "dateUpdated": "2026-02-17T15:39:06.672Z"}, "containers": {"cna": {"title": "webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-459", "lang": "en", "description": "CWE-459: Incomplete Cleanup", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"}, {"name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"}], "affected": [{"vendor": "quic-go", "product": "webtransport-go", "versions": [{"version": "< 0.10.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:25:34.107Z"}, "descriptions": [{"lang": "en", "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0."}], "source": {"advisory": "GHSA-2f2x-8mwp-p2gc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:38:58.113284Z", "id": "CVE-2026-21438", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:39:06.672Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21438", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:38:58.113284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:39:03.242Z"}}], "cna": {"title": "webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map", "source": {"advisory": "GHSA-2f2x-8mwp-p2gc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "quic-go", "product": "webtransport-go", "versions": [{"status": "affected", "version": "< 0.10.0"}]}], "references": [{"url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc", "name": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0", "name": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-459", "description": "CWE-459: Incomplete Cleanup"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-12T18:25:34.107Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21438", "state": "PUBLISHED", "dateUpdated": "2026-02-17T15:39:06.672Z", "dateReserved": "2025-12-29T03:00:29.275Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-12T18:25:34.107Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*", "matchCriteriaId": "D64C55F6-7FB5-4D98-9E14-99F89DD9F3E4", "versionEndExcluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0."}], "id": "CVE-2026-21438", "lastModified": "2026-02-19T22:50:30.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-12T19:15:51.677", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}, {"lang": "en", "value": "CWE-459"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.10.0)"}}], "product": "webtransport-go", "vendor": "quic-go"}], "analysis": {"en": {"generated_at": "2026-04-17T20:03:25.677011+00:00", "value": {"mitigation_remediation": ["Upgrade to webtransport-go v0.10.0 or later to apply the official fix", "If upgrading is not immediately possible, implement a limit on the number of streams per session to reduce potential memory growth", "Monitor application memory usage and trigger alerts if consumption exceeds expected thresholds"], "summary": {"action": "Immediate Patch", "impact": "Memory Exhaustion (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The affected product is the quic-go webtransport-go library. Any deployment using versions prior to 0.10.0 is vulnerable. Releases up to and including 0.9.x have not applied the fix.", "description_and_impact": "webtransport-go implements the WebTransport protocol. Before version 0.10.0, a flaw allows an attacker to repeatedly open and close streams, which remain in an internal map; the closed streams are not cleaned up so garbage collection does not reclaim their memory. This results in unbounded memory growth and can exhaust the server\u2019s heap, leading to service disruption. The weakness is an instance of improper resource management (CWE\u2011401) and missing cleanup of data structures (CWE\u2011459).", "risk_and_exploitability": "The CVSS score of 5.3 reflects moderate severity and the EPSS score of less than 1% indicates a low but nonzero chance of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw remotely by making repeated WebTransport stream requests over the network; no special privileges or insider access are required. The combined risk is moderate but the impact\u2014total memory exhaustion\u2014can bring the service entirely to a halt. Monitoring and mitigation are recommended."}}}}, "created": "2026-02-13T21:35:23.993740+00:00", "updated": "2026-04-17T20:15:26.990490+00:00", "vendors": ["quic-go", "quic-go$PRODUCT$webtransport-go"]}