Moderate severityNVD Advisory· Published Feb 12, 2026· Updated Feb 17, 2026
webtransport-go CloseWithError can block indefinitely
CVE-2026-21435
Description
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/quic-go/webtransport-goGo | < 0.10.0 | 0.10.0 |
Affected products
1- Range: < 0.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-px4r-g4p3-hhqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21435ghsaADVISORY
- github.com/quic-go/webtransport-go/releases/tag/v0.10.0ghsax_refsource_MISCWEB
- github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.