Cyber Resilience

CVE-2026-21435

Medium

Published: 12 February 2026

Published
12 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0002 5.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21435 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Quic-Go Webtransport-Go. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21435 is a denial-of-service vulnerability in webtransport-go, an open-source implementation of the WebTransport protocol over QUIC. Versions prior to v0.10.0 are affected, where a malicious peer can withhold QUIC flow control credit on the CONNECT stream. This blocks transmission of the WT_CLOSE_SESSION capsule, preventing or indefinitely delaying WebTransport session closure and causing the close operation to hang. The issue is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-400 (Uncontrolled Resource Consumption).

A remote, unauthenticated attacker acting as a malicious peer can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating flow control on the CONNECT stream, the attacker induces a hang in session closure, leading to resource exhaustion and denial of service on the affected webtransport-go instance. The impact is limited to availability, with no confidentiality or integrity effects.

The vulnerability is fixed in webtransport-go v0.10.0, as detailed in the project's release notes and GitHub security advisory GHSA-px4r-g4p3-hhqv. Security practitioners should upgrade to v0.10.0 or later to mitigate the issue.

EU & UK References

Vulnerability details

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the…

more

CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via resource exhaustion on session hang.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21434Same product: Quic-Go Webtransport-Go
CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400

Affected Assets

quic-go
webtransport-go
≤ 0.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the vendor-supplied fix (upgrade to webtransport-go v0.10.0) that eliminates the CONNECT-stream flow-control hang.

prevent

Mandates denial-of-service protection mechanisms that can detect and mitigate resource-exhaustion conditions caused by stalled WebTransport session closure.

prevent

Enforces automatic or administrator-initiated session termination, countering the indefinite hang on WT_CLOSE_SESSION capsule transmission.

References