webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule
Description
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/webtransport-goGo | >= 0.3.0, < 0.10.0 | 0.10.0 |
Affected products
27- osv-coords26 versionspkg:apk/chainguard/ipfs-clusterpkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.31pkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/kubopkg:apk/chainguard/rke2-runtime-1.31pkg:apk/chainguard/rke2-runtime-1.32pkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/spegelpkg:apk/chainguard/spegel-fipspkg:apk/wolfi/ipfs-clusterpkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/kubopkg:apk/wolfi/spegelpkg:golang/github.com/quic-go/webtransport-gopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.1.5-r5+ 25 more
- (no CPE)range: < 1.1.5-r5
- (no CPE)range: < 1.1.5-r4
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 1.33.9.1-r3
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.31.6.1-r13
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 0.39.0-r5
- (no CPE)range: < 1.31.14.2.1-r8
- (no CPE)range: < 1.32.12.2.1-r2
- (no CPE)range: < 1.33.8.2.1-r2
- (no CPE)range: < 1.34.4.2.1-r2
- (no CPE)range: < 1.35.1.2.1-r2
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: < 1.1.5-r5
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 1.33.9.1-r3
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 0.39.0-r5
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: >= 0.3.0, < 0.10.0
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: < 0.10.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g6x7-jq8p-6q9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21434ghsaADVISORY
- github.com/quic-go/webtransport-go/releases/tag/v0.10.0ghsax_refsource_MISCWEB
- github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.