CVE-2026-21434

Name of the Vulnerable Software and Affected Versions webtransport-go versions 0.3.0 through 0.9.0

Description webtransport-go’s session implementation is susceptible to excessive memory consumption. An attacker can send a WT CLOSE SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated 1024-byte limit on this field, allowing an attacker to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory, requiring the full payload transmission to achieve the memory consumption.

Recommendations Upgrade to version 10.0.0 or later.