The Zombie Stream Apocalypse: Analyzing CVE-2026-21438 in webtransport-go
Vulnerability ID: CVE-2026-21438
CVSS Score: 5.3
Published: 2026-02-12
A comprehensive analysis of a memory exhaustion vulnerability in the webtransport-go library. By failing to remove closed streams from an internal tracking map, the library allows attackers to trigger a Denial of Service (DoS) via unlimited memory consumption, bypassing standard concurrency limits.
TL;DR
The webtransport-go library prior to v0.10.0 fails to delete stream references from an internal map after they are closed. Attackers can open and immediately close millions of streams, bloating the server's memory until it crashes (OOM), even while staying within 'active stream' limits.
Technical Details
- CWE: CWE-401 (Memory Leak)
- CVSS: 5.3 (Medium)
- Attack Vector: Network
- Exploit Status: Trivial / High Likelihood
- Impact: Denial of Service (OOM)
- Privileges: None
Affected Systems
- WebTransport Servers using quic-go/webtransport-go < 0.10.0
- Go applications implementing HTTP/3 over QUIC with WebTransport support
-
webtransport-go: < 0.10.0 (Fixed in:
0.10.0)
Exploit Details
- Internal Analysis: Exploitation is trivial via repeated stream creation and reset within a single session.
Mitigation Strategies
- Update
webtransport-goto versionv0.10.0or higher. - Implement memory usage monitoring on WebTransport endpoints.
- Restart services periodically if immediate patching is not possible (band-aid solution).
Remediation Steps:
- Modify
go.modto requiregithub.com/quic-go/webtransport-go v0.10.0. - Run
go mod tidyto resolve dependencies. - Update
quic-gotov0.59.0to ensure compatibility. - Rebuild and redeploy the application.
- Verify memory usage stability under load testing.
References
Read the full report for CVE-2026-21438 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)