An attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.
webtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed.
A malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams.
webtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.
| Score | Percentile |
|---|---|
| 0.02% | 4.69% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.3 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-2f2x-8mwp-p2gc ↗ |
| CVE | CVE-2026-21438 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/quic-go/webtransport-go | <= 0.9.0 | 0.10.0 | — |