CVE-2026-21435
Published: 12 February 2026
Summary
CVE-2026-21435 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Quic-Go Webtransport-Go. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21435 is a denial-of-service vulnerability in webtransport-go, an open-source implementation of the WebTransport protocol over QUIC. Versions prior to v0.10.0 are affected, where a malicious peer can withhold QUIC flow control credit on the CONNECT stream. This blocks transmission of the WT_CLOSE_SESSION capsule, preventing or indefinitely delaying WebTransport session closure and causing the close operation to hang. The issue is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-400 (Uncontrolled Resource Consumption).
A remote, unauthenticated attacker acting as a malicious peer can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating flow control on the CONNECT stream, the attacker induces a hang in session closure, leading to resource exhaustion and denial of service on the affected webtransport-go instance. The impact is limited to availability, with no confidentiality or integrity effects.
The vulnerability is fixed in webtransport-go v0.10.0, as detailed in the project's release notes and GitHub security advisory GHSA-px4r-g4p3-hhqv. Security practitioners should upgrade to v0.10.0 or later to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-6717
Vulnerability details
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the…
more
CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation causing endpoint DoS via resource exhaustion on session hang.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the vendor-supplied fix (upgrade to webtransport-go v0.10.0) that eliminates the CONNECT-stream flow-control hang.
Mandates denial-of-service protection mechanisms that can detect and mitigate resource-exhaustion conditions caused by stalled WebTransport session closure.
Enforces automatic or administrator-initiated session termination, countering the indefinite hang on WT_CLOSE_SESSION capsule transmission.