CVE-2026-21438

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions webtransport-go versions prior to 0.10.0

Description An attacker can cause unbounded memory consumption by repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. A malicious peer can exploit this by opening and closing a large number of streams, leading to continuous memory growth proportional to the number of closed streams. The software maintains an internal map tracking WebTransport streams, and affected versions did not remove entries for closed streams from this map.

Recommendations Update to version 0.10.0 or later.

Exploit

Fix

Memory Leak

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-401CWE-459

Related Identifiers

CVE-2026-21438

GHSA-2F2X-8MWP-P2GC

GO-2026-4483

SUSE-SU-2026:0757-1

Affected Products

Webtransport-Go

CVE-2026-21438

Weakness Enumeration

Related Identifiers

Affected Products

References · 118