CVE-2026-21434
Published: 12 February 2026
Summary
CVE-2026-21434 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Quic-Go Webtransport-Go. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21434 affects webtransport-go, an implementation of the WebTransport protocol, in versions from 0.3.0 to 0.9.0 inclusive. The vulnerability stems from the session implementation's failure to enforce the draft-mandated 1024-byte limit on the Application Error Message field within a WT_CLOSE_SESSION capsule. This allows a peer to send an arbitrarily large message payload, which is fully read and stored in memory, leading to excessive memory consumption rated at CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).
Any network-accessible peer can exploit this vulnerability by transmitting a WT_CLOSE_SESSION capsule with an oversized Application Error Message. While the attacker must send the full payload to trigger memory consumption, the absence of an upper bound enables large-scale denial-of-service attacks given sufficient bandwidth, potentially exhausting server resources without requiring authentication or user interaction.
The vulnerability is addressed in webtransport-go version 0.10.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 0.10.0 or later to mitigate the issue, with further details available at https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0 and https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6715
Vulnerability details
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce…
more
the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a server-side resource exhaustion flaw in a network protocol implementation that is directly exploitable over the network to achieve application DoS via crafted WT_CLOSE_SESSION capsules.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces size limits on untrusted fields such as the Application Error Message in WT_CLOSE_SESSION capsules, directly blocking the unbounded allocation that triggers memory exhaustion.
Requires denial-of-service protections that limit resource consumption from unauthenticated network peers sending oversized WebTransport capsules.
Mandates safeguards such as quotas or priority-based allocation to keep memory available when a peer supplies an arbitrarily large error message.