Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Feb 17, 2026
webtransport-go CloseWithError can block indefinitely
CVE-2026-21435
Description
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/webtransport-goGo | < 0.10.0 | 0.10.0 |
Affected products
27- osv-coords26 versionspkg:apk/chainguard/ipfs-clusterpkg:apk/chainguard/ipfs-cluster-fipspkg:apk/chainguard/k3spkg:apk/chainguard/k3s-1.32pkg:apk/chainguard/k3s-1.33pkg:apk/chainguard/k3s-staticpkg:apk/chainguard/k3s-static-1.31pkg:apk/chainguard/k3s-static-1.32pkg:apk/chainguard/kubopkg:apk/chainguard/rke2-runtime-1.31pkg:apk/chainguard/rke2-runtime-1.32pkg:apk/chainguard/rke2-runtime-1.33pkg:apk/chainguard/rke2-runtime-1.34pkg:apk/chainguard/rke2-runtime-1.35pkg:apk/chainguard/spegelpkg:apk/chainguard/spegel-fipspkg:apk/wolfi/ipfs-clusterpkg:apk/wolfi/k3spkg:apk/wolfi/k3s-1.32pkg:apk/wolfi/k3s-1.33pkg:apk/wolfi/k3s-staticpkg:apk/wolfi/k3s-static-1.32pkg:apk/wolfi/kubopkg:apk/wolfi/spegelpkg:golang/github.com/quic-go/webtransport-gopkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 1.1.5-r5+ 25 more
- (no CPE)range: < 1.1.5-r5
- (no CPE)range: < 1.1.5-r4
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 1.33.9.1-r3
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.31.6.1-r13
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 0.39.0-r5
- (no CPE)range: < 1.31.14.2.1-r8
- (no CPE)range: < 1.32.12.2.1-r2
- (no CPE)range: < 1.33.8.2.1-r2
- (no CPE)range: < 1.34.4.2.1-r2
- (no CPE)range: < 1.35.1.2.1-r2
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: < 1.1.5-r5
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 1.33.9.1-r3
- (no CPE)range: < 1.35.1.1-r1
- (no CPE)range: < 1.32.13.1-r2
- (no CPE)range: < 0.39.0-r5
- (no CPE)range: < 0.6.0-r4
- (no CPE)range: < 0.10.0
- (no CPE)range: < 0.0.20260226T182644-150000.1.149.1
- Range: < 0.10.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-px4r-g4p3-hhqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21435ghsaADVISORY
- github.com/quic-go/webtransport-go/releases/tag/v0.10.0ghsax_refsource_MISCWEB
- github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.