CVE-2026-21438

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

webtransport-go: Memory Exhaustion Attack due to Missing Cleanup of Streams Map in github.com/quic-go/webtransport-go

## Summary An attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. ## Details webtransport-go maintains an internal map tracking WebTransport streams (both unidirectional and bidirectional) belonging to a session. In affected versions, entries for closed streams were not removed from this map, causing the map to grow indefinitely as streams were created and closed. A malicious peer can exploit this by opening large numbers of streams and closing them, leading to steady memory growth proportional to the number of closed streams. ## The Fix webtransport-go now removes closed streams from the internal map upon closure. This allows the associated resources to be garbage collected, bounding memory usage to active streams only.

webtransport-go es una implementación del protocolo WebTransport. Antes de la versión 0.10.0, un atacante podía causar un consumo de memoria ilimitado creando y cerrando repetidamente muchas transmisiones WebTransport. Las transmisiones cerradas no se eliminaban de un mapa de sesión interno, lo que impedía la recolección de basura de sus recursos. Esta vulnerabilidad está corregida en la v0.10.0.