CVE-2026-21438

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-21438

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21438.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-21438

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

Published

2026-02-12T18:25:34.107Z

Modified

2026-03-04T22:28:57.064417Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map

Details

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

Database specific

{
    "cwe_ids": [
        "CWE-401",
        "CWE-459"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21438.json"
}

References

Affected packages

Git / github.com/quic-go/webtransport-go

Affected ranges

Type: GIT
Repo: https://github.com/quic-go/webtransport-go
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9d448b125754f4c83064afb2c586221214e55eec

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.6.0

v0.7.0

v0.8.0

v0.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21438.json"