CVE-2026-21435

Name of the Vulnerable Software and Affected Versions webtransport-go versions prior to 0.10.0

Description A malicious peer can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. Specifically, a peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT CLOSE SESSION capsule and causing the close operation to hang. The WebTransport protocol signals session termination by sending a WT CLOSE SESSION capsule on the CONNECT stream. Affected versions blocked indefinitely while waiting for sufficient QUIC flow control credit from the peer.

Recommendations Update to version 0.10.0 or later.