CVE-2026-21438 — Vulnetix

CVE-2026-21438 PUBLISHED CVSS 5.300000190734863 MEDIUM

webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.

EPSS 0.02% · 5.8th percentile

Risk Scores

CVSS v3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

0.02%

5.8th percentile

Affected Products

Vendor	Product	Versions
github.com	quic-go/webtransport-go	0, 0
quic-go	webtransport-go	0, *, < 0.10.0

Timeline

Feb 12, 2026 CVE Published
Feb 12, 2026 PoC Published
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 17, 2026 EPSS Score
Feb 19, 2026 EPSS Score
Feb 21, 2026 EPSS Score
Feb 22, 2026 EPSS Score
Feb 24, 2026 EPSS Score
Feb 26, 2026 EPSS Score
Feb 28, 2026 EPSS Score
Mar 2, 2026 EPSS Score

References

https://github.com/quic-go/webtransport-go/security/advisories/GHSA-2f2x-8mwp-p2gc url
https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0 url
https://nvd.nist.gov/vuln/detail/CVE-2026-21438 advisory
https://github.com/quic-go/webtransport-go package

Open in Interactive Console →