CVE-2026-21435
📋 TL;DR
This vulnerability allows an attacker to cause denial of service in webtransport-go implementations by preventing WebTransport session closure. Attackers can withhold QUIC flow control credit, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang indefinitely. This affects any system using webtransport-go versions prior to v0.10.0.
💻 Affected Systems
- webtransport-go
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for WebTransport sessions, potentially exhausting server resources and making services unavailable to legitimate users.
Likely Case
Targeted denial of service against specific WebTransport sessions, causing service disruption for affected users.
If Mitigated
Limited impact with proper monitoring and resource limits, though sessions may still hang until timeout.
🎯 Exploit Status
The attack requires establishing a WebTransport connection but no authentication. Exploitation is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.10.0
Vendor Advisory: https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv
Restart Required: Yes
Instructions:
1. Update webtransport-go dependency to v0.10.0 or later. 2. Update go.mod to require github.com/quic-go/webtransport-go v0.10.0. 3. Rebuild and redeploy the application. 4. Restart all services using webtransport-go.
🔧 Temporary Workarounds
Implement session timeouts
allConfigure aggressive session timeouts to limit how long hung sessions can consume resources.
// In application code, implement session timeout logic
// Example: Set maximum session duration to 30 seconds
Rate limiting connections
allImplement connection rate limiting to prevent mass exploitation.
// Use rate limiting middleware or configure at load balancer
// Example: Limit to 100 connections per IP per minute
🧯 If You Can't Patch
- Implement network segmentation to isolate WebTransport services from untrusted networks.
- Deploy Web Application Firewall (WAF) or reverse proxy with connection limiting and anomaly detection.
🔍 How to Verify
Check if Vulnerable:
Check go.mod or go.sum for webtransport-go dependency version. If version is <0.10.0, the system is vulnerable.Check Version:
grep webtransport-go go.mod || grep webtransport-go go.sumVerify Fix Applied:
Verify webtransport-go version is >=0.10.0 in go.mod/go.sum and test WebTransport session closure under simulated attack conditions.📡 Detection & Monitoring
Log Indicators:
- Unusually long WebTransport session durations
- Multiple session timeout events
- High number of concurrent WebTransport sessions
Network Indicators:
- Excessive QUIC connections to WebTransport ports
- Unusual patterns in QUIC flow control usage
SIEM Query:
source="webtransport-logs" AND (session_duration > 300 OR event="timeout") | stats count by src_ip