Cyber Resilience

CVE-2026-21434

Medium

Published: 12 February 2026

Published
12 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0002 5.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21434 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Quic-Go Webtransport-Go. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21434 affects webtransport-go, an implementation of the WebTransport protocol, in versions from 0.3.0 to 0.9.0 inclusive. The vulnerability stems from the session implementation's failure to enforce the draft-mandated 1024-byte limit on the Application Error Message field within a WT_CLOSE_SESSION capsule. This allows a peer to send an arbitrarily large message payload, which is fully read and stored in memory, leading to excessive memory consumption rated at CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).

Any network-accessible peer can exploit this vulnerability by transmitting a WT_CLOSE_SESSION capsule with an oversized Application Error Message. While the attacker must send the full payload to trigger memory consumption, the absence of an upper bound enables large-scale denial-of-service attacks given sufficient bandwidth, potentially exhausting server resources without requiring authentication or user interaction.

The vulnerability is addressed in webtransport-go version 0.10.0, as detailed in the project's release notes and security advisory. Security practitioners should upgrade to 0.10.0 or later to mitigate the issue, with further details available at https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0 and https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q.

EU & UK References

Vulnerability details

webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce…

more

the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability is a server-side resource exhaustion flaw in a network protocol implementation that is directly exploitable over the network to achieve application DoS via crafted WT_CLOSE_SESSION capsules.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21435Same product: Quic-Go Webtransport-Go
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770

Affected Assets

quic-go
webtransport-go
0.3.0 — 0.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces size limits on untrusted fields such as the Application Error Message in WT_CLOSE_SESSION capsules, directly blocking the unbounded allocation that triggers memory exhaustion.

prevent

Requires denial-of-service protections that limit resource consumption from unauthenticated network peers sending oversized WebTransport capsules.

prevent

Mandates safeguards such as quotas or priority-based allocation to keep memory available when a peer supplies an arbitrarily large error message.

References