DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21435: The Infinite Goodbye: Choking WebTransport with Flow Control

#security #cve #cybersecurity

The Infinite Goodbye: Choking WebTransport with Flow Control

Vulnerability ID: CVE-2026-21435
CVSS Score: 5.3
Published: 2026-02-12

In the world of async networking, shutting down a connection is supposed to be a graceful handshake. But for webtransport-go prior to v0.10.0, it became a death grip. A vulnerability in the session closure logic allows a malicious peer to perform a Denial of Service (DoS) by simply refusing to acknowledge the end of the conversation. By withholding QUIC flow control credits on the critical CONNECT stream, an attacker can force the server to wait indefinitely for a write permission that never comes. The result? A massive leak of goroutines and memory, silently suffocating the application while it politely waits to say 'goodbye'.

TL;DR

A DoS vulnerability in webtransport-go allows attackers to hang server sessions indefinitely by withholding QUIC flow control credits during closure. This causes the server's CloseWithError function to block forever, leading to goroutine leaks and resource exhaustion. Fixed in v0.10.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS v3.1: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
  • Attack Vector: Network (QUIC Stream Manipulation)
  • Impact: Denial of Service (Goroutine/Memory Leak)
  • Status: Fixed in v0.10.0
  • Exploit Maturity: Proof of Concept (Trivial)

Affected Systems

  • Go applications using webtransport-go < v0.10.0
  • WebTransport servers based on quic-go
  • HTTP/3 gateways terminating WebTransport sessions
  • webtransport-go: < 0.10.0 (Fixed in: v0.10.0)

Code Analysis

Commit: 9d448b1

Fix: correctly handle stream resets and concurrent closes to prevent hanging

N/A
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Theory: Exploitation involves a modified QUIC client that withholds MAX_STREAM_DATA frames.

Mitigation Strategies

  • Update webtransport-go dependency to v0.10.0 or higher immediately.
  • Implement strict timeouts on the underlying QUIC connection contexts as a failsafe.
  • Monitor goroutine counts to detect active exploitation attempts.

Remediation Steps:

  1. Open your go.mod file.
  2. Locate the github.com/quic-go/webtransport-go dependency.
  3. Update the version tag to v0.10.0.
  4. Run go mod tidy and go build to ensure the new version is integrated.

References

Read the full report for CVE-2026-21435 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)