Golang
CVE-2026-21434
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0.
AnalysisAI
Webtransport-go versions 0.3.0 through 0.9.0 fail to enforce the 1024-byte limit on Application Error Messages in WT_CLOSE_SESSION capsules, allowing remote attackers to trigger unbounded memory consumption by sending oversized payloads. An unauthenticated attacker can exhaust server memory and cause denial of service, requiring only sufficient bandwidth to transmit the malicious payload. The vulnerability is resolved in version 0.10.0, though no patch is currently available for affected versions.
Technical ContextAI
Classified as CWE-770 (Allocation of Resources Without Limits or Throttling). Affects Webtransport-Go. webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to c
RemediationAI
Fixed in version 0.10.0.. Restrict network access to the affected service where possible.
Erugo file-sharing platform up to version 0.2.14 has a CVSS 10.0 path traversal allowing authenticated users to read any
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie
Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.p
CGI path splitting vulnerability in FrankenPHP before 1.11.2 — Unicode characters bypass path validation during CGI proc
Free5gc NRF 1.4.0 has an authorization bypass in access token generation that allows authenticated users to request toke
Algo 8028 Control Panel version 3.3.3 contains a command injection vulnerability in the fm-data.lua endpoint that allows
Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve una
Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve comp
DPanel is an open source server management panel written in Go. Prior to 1.9.2, DPanel has an arbitrary file deletion vu
Mobilego versions up to 8.5.0 is affected by incorrect permission assignment for critical resource (CVSS 7.8).
Mikogo 5.2.2.150317 contains an unquoted service path vulnerability in the Mikogo-Service Windows service configuration.
Remote attackers can inject arbitrary command-line arguments into bird-lg-go's traceroute module through unsanitized use
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-g6x7-jq8p-6q9q