VYPR
Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Feb 17, 2026

webtransport-go CloseWithError can block indefinitely

CVE-2026-21435

Description

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/quic-go/webtransport-goGo
< 0.10.00.10.0

Affected products

27

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.