The Never-Ending Goodbye: Crashing WebTransport with Unbounded Errors
Vulnerability ID: CVE-2026-21434
CVSS Score: 5.3
Published: 2026-02-12
A logic flaw in the webtransport-go library allows an unauthenticated attacker to exhaust server memory by sending a specially crafted WT_CLOSE_SESSION capsule. By declaring a massive error message length and streaming junk data, the server attempts to buffer the entire message into memory via io.ReadAll, resulting in a Denial of Service (OOM).
TL;DR
The webtransport-go library forgot to put a cap on how much it reads when a client says "goodbye." An attacker can send a CLOSE_SESSION frame claiming to have a 10GB error message, and the server will dutifully try to allocate RAM for it until it crashes.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-770
- Attack Vector: Network (UDP/QUIC)
- CVSS v3.1: 5.3 (Medium)
- Impact: Denial of Service (OOM)
- Affected Component: session.go (parseNextCapsule)
- Fix Approach: Input Truncation (io.LimitReader)
Affected Systems
- Go applications using github.com/quic-go/webtransport-go
- HTTP/3 gateways using this library
- WebTransport enabled backend services
-
webtransport-go: >= 0.3.0, < 0.10.0 (Fixed in:
0.10.0)
Exploit Details
- N/A: The advisory describes the method of exploitation via large WT_CLOSE_SESSION frames.
Mitigation Strategies
- Update dependencies immediately
- Implement memory limits at the container level to restart crashed services quickly
- Monitor for high-memory sessions
Remediation Steps:
- Open your project's
go.modfile. - Locate the
github.com/quic-go/webtransport-godependency. - Update the version to
v0.10.0or higher. - Run
go mod tidyandgo mod vendor(if applicable). - Rebuild and redeploy the application.
References
Read the full report for CVE-2026-21434 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)