CVE-2026-21435

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-21435

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21435.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21435

Aliases

Related

CGA-cj6m-9rxm-v36r

Published

2026-02-12T18:22:58.098Z

Modified

2026-02-23T12:43:59.841014Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

webtransport-go CloseWithError can block indefinitely

Details

webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WTCLOSESESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.

Database specific

{
    "cwe_ids": [
        "CWE-400"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21435.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/quic-go/webtransport-go

Affected ranges

Type: GIT
Repo: https://github.com/quic-go/webtransport-go
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d448b125754f4c83064afb2c586221214e55eec

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.7.0

v0.8.0

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21435.json"