CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-21434

The Never-Ending Goodbye: Crashing WebTransport with Unbounded Errors

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 12, 2026·6 min read·21 visits

Executive Summary (TL;DR)

The `webtransport-go` library forgot to put a cap on how much it reads when a client says "goodbye." An attacker can send a `CLOSE_SESSION` frame claiming to have a 10GB error message, and the server will dutifully try to allocate RAM for it until it crashes.

A logic flaw in the `webtransport-go` library allows an unauthenticated attacker to exhaust server memory by sending a specially crafted `WT_CLOSE_SESSION` capsule. By declaring a massive error message length and streaming junk data, the server attempts to buffer the entire message into memory via `io.ReadAll`, resulting in a Denial of Service (OOM).

The Hook: WebTransport's Shiny New Attack Surface

WebTransport is the new hotness in the protocol world. Built on top of HTTP/3 and QUIC, it promises to do everything WebSockets did, but faster, with less head-of-line blocking, and with that fresh "modern protocol" smell. It uses the concept of "Capsules" to handle signaling—think of them as control packets flowing alongside your data streams.

But here is the thing about modern protocols: the specifications are usually tighter than a drum, but the implementations? That is where the chaos lives. The IETF draft for WebTransport is very specific about safety limits. It explicitly states that when you close a session, the error message attached to that closure "SHALL NOT" exceed 1024 bytes.

Enter webtransport-go, the Go implementation maintained by the brilliant folks behind quic-go. In their rush to support this complex protocol, they made a classic mistake. They trusted the sender. They assumed that if the spec says "don't send more than 1KB," surely nobody would send more than 1KB, right? Spoiler: I am definitely going to send more than 1KB.

The Flaw: A fatal attraction to io.ReadAll

The vulnerability lives in session.go, specifically within the parseNextCapsule function. This function creates a loop that listens for incoming capsules, parses their type, and handles them accordingly. One such type is WT_CLOSE_SESSION (0x2843), which is used to cleanly terminate a connection.

When a session is closed, the closer can include an error code (4 bytes) and an error message (variable length string). To read this message, the developers reached for the most dangerous weapon in the Go standard library: io.ReadAll.

io.ReadAll is the programming equivalent of an all-you-can-eat buffet where the restaurant is legally required to keep cooking until you stop eating. It reads from the source until it hits EOF. In the context of a QUIC stream, the EOF is determined by the length field in the capsule header. If I, the attacker, send a capsule header claiming my error message is 4 Gigabytes long, io.ReadAll says "Challenge accepted" and begins allocating slices to fit that data.

There was no check. No if length > 1024. Just a blind read into the heap until the garbage collector panics and the kernel kills the process.

The Code: Autopsy of a Memory Leak

Let's look at the crime scene. Below is the code from version 0.9.0. Notice the complete lack of defensive programming around the message retrieval.

// Vulnerable Code in v0.9.0/session.go
 
case closeWebtransportSessionCapsuleType:
    b := make([]byte, 4)
    // Read the 4-byte error code
    if _, err := io.ReadFull(r, b); err != nil {
        return err
    }
    appErrCode := binary.BigEndian.Uint32(b)
 
    // THE BUG: Reads until EOF (defined by capsule length)
    appErrMsg, err := io.ReadAll(r) 
    if err != nil {
        return err
    }

The fix is almost frustratingly simple. It involves wrapping the reader in an io.LimitReader, which acts as a bouncer, cutting off the stream once the limit is reached.

// Patched Code in v0.10.0/session.go
 
const maxCloseCapsuleErrorMsgLen = 1024
 
// ... inside the case statement ...
 
// THE FIX: Enforce the 1024 byte limit strictly
appErrMsg, err := io.ReadAll(io.LimitReader(r, maxCloseCapsuleErrorMsgLen))
if err != nil {
    return err
}

By adding that LimitReader, the server now reads at most 1024 bytes. If the attacker sends 4GB, the server reads the first kilobyte, processes the error, and ignores the rest (or resets the stream), saving the heap from exhaustion.

The Exploit: Saying Goodbye, Slowly

Exploiting this is trivial and requires no authentication. We just need to establish a valid WebTransport session and then lie about how much we have to say before we leave.

Here is the attack chain:

  1. Handshake: Perform a standard HTTP/3 handshake and upgrade to WebTransport.
  2. Frame Injection: Construct a WT_CLOSE_SESSION capsule. In the capsule header, we encode a VarInt length field of 0xFFFFFFFF (approx 4GB) or higher.
  3. The Flooding: Immediately after the header and the 4-byte error code, we start streaming 'A's. We don't even need to send the full 4GB fast; we just need to send it faster than the server can GC, or simply hold the connection open while the server allocates the buffer capacity.

Because io.ReadAll grows its buffer exponentially to accommodate incoming data, the server's memory usage will spike. Do this across 10 or 20 concurrent connections, and you will OOM virtually any standard containerized deployment.

The Impact: Asymmetric Warfare

While the CVSS score is a modest 5.3 (Medium), don't let that fool you. In a microservices environment, this is a nuclear option for a script kiddie. The asymmetry is the killer here: the attacker needs very little bandwidth to trigger massive memory allocations on the server.

If your Go application sits directly on the internet (which, given it is HTTP/3 / UDP, it likely does), it is vulnerable. Standard HTTP WAFs often struggle to inspect deep inside QUIC datagrams or encrypted HTTP/3 frames without full decryption and re-encryption proxies, which are computationally expensive. This means the bad packet is likely hitting your application logic directly.

This isn't just about crashing a single pod. If you are running an autoscaling group based on memory usage, an attacker could theoretically trick your orchestrator into spinning up max instances before crashing them all, hitting your wallet before hitting your availability.

The Fix: Upgrade or Die

The mitigation is straightforward: Update webtransport-go to v0.10.0. There are no clever configuration workarounds here because the vulnerability is inside the compiled logic of the library's frame parser.

If you are a developer using this library, check your go.mod file today.

> [!NOTE] > For Security Researchers: If you are looking for similar bugs, search for io.ReadAll in any networking library processing length-prefixed fields. It is the "SQL Injection" of memory corruption in Go.

Official Patches

quic-goFix commit implementing io.LimitReader

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Systems

Go applications using github.com/quic-go/webtransport-goHTTP/3 gateways using this libraryWebTransport enabled backend services

Affected Versions Detail

Product
Affected Versions
Fixed Version
webtransport-go
quic-go
>= 0.3.0, < 0.10.00.10.0
AttributeDetail
CWE IDCWE-770
Attack VectorNetwork (UDP/QUIC)
CVSS v3.15.3 (Medium)
ImpactDenial of Service (OOM)
Affected Componentsession.go (parseNextCapsule)
Fix ApproachInput Truncation (io.LimitReader)

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
T1499.003Application or System Exploitation
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

Allocation of Resources Without Limits or Throttling

Known Exploits & Detection

N/AThe advisory describes the method of exploitation via large WT_CLOSE_SESSION frames.

Vulnerability Timeline

Fix commit authored
2026-01-12
Vulnerability Disclosed (GHSA-g6x7-jq8p-6q9q)
2026-02-12
Version 0.10.0 Released
2026-02-12

References & Sources

  • [1]GitHub Advisory GHSA-g6x7-jq8p-6q9q
  • [2]WebTransport over HTTP/3 Draft Specification

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 2 hours ago•GHSA-387M-935M-C4VW
7.5

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 3 hours ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 4 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 4 hours ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 5 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
5 views•6 min read