CVE-2026-21434 affects the webtransport-go library, an implementation of the WebTransport protocol used for multiplexed, bidirectional communication over QUIC. The vulnerability arises from improper resource management in the session handling code, specifically in processing the WT_CLOSE_SESSION capsule. According to the WebTransport draft specification, the Application Error Message field in this capsule must not exceed 1024 bytes. However, versions 0.3.0 through 0.9.0 of webtransport-go do not enforce this limit, allowing an attacker to send a WT_CLOSE_SESSION capsule containing an arbitrarily large payload. The implementation reads and stores this payload fully in memory without any throttling or limits, leading to uncontrolled memory allocation. This flaw enables an attacker to consume excessive memory on the target system, potentially causing denial-of-service conditions by exhausting available resources. Exploitation requires no privileges or user interaction and can be performed remotely by sending crafted network packets. The vulnerability has a CVSS v3.1 score of 5.3, reflecting a medium severity level primarily due to its impact on availability without affecting confidentiality or integrity. The issue was publicly disclosed on February 12, 2026, and fixed in webtransport-go version 0.10.0. No known exploits have been reported in the wild to date.

For European organizations, this vulnerability poses a risk of denial-of-service attacks against services relying on vulnerable versions of webtransport-go. Since WebTransport is designed for low-latency, multiplexed communication over QUIC, it may be used in real-time applications such as media streaming, remote collaboration, or IoT device communication. An attacker exploiting this flaw could cause service disruptions by exhausting server memory, leading to degraded performance or crashes. This can impact business continuity, user experience, and potentially lead to financial losses or reputational damage. Organizations in sectors with high reliance on real-time web communication, such as telecommunications, media, and critical infrastructure, may be particularly affected. Additionally, the lack of authentication or user interaction requirements lowers the barrier for attackers to exploit this remotely. However, the absence of known exploits and the medium CVSS score suggest the threat is moderate but should not be underestimated given the potential for large-scale attacks if bandwidth permits.

European organizations should immediately upgrade all instances of webtransport-go to version 0.10.0 or later, where the vulnerability is fixed by enforcing the 1024-byte limit on the Application Error Message field. Until upgrades can be applied, network-level mitigations should be implemented, such as rate limiting and deep packet inspection to detect and block unusually large WT_CLOSE_SESSION capsules or abnormal WebTransport traffic patterns. Deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to identify and drop oversized payloads can reduce attack surface. Monitoring memory usage and establishing alerting for abnormal resource consumption on servers running webtransport-go is recommended to detect potential exploitation attempts early. Additionally, organizations should review their exposure of WebTransport services to untrusted networks and consider restricting access where feasible. Regular vulnerability scanning and patch management processes should be enforced to prevent exploitation of this and similar vulnerabilities.