CVE-2026-21438

Name of the Vulnerable Software and Affected Versions webtransport-go versions prior to 0.10.0

Description An attacker can cause unbounded memory consumption by repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. A malicious peer can exploit this by opening and closing a large number of streams, leading to continuous memory growth proportional to the number of closed streams. The software maintains an internal map tracking WebTransport streams, and affected versions did not remove entries for closed streams from this map.

Recommendations Update to version 0.10.0 or later.