CVE-2026-21435 is a denial of service vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting webtransport-go, a Go language implementation of the WebTransport protocol over QUIC. The vulnerability exists in versions prior to 0.10.0. WebTransport sessions rely on QUIC streams for communication, including a CONNECT stream used to manage session lifecycle. An attacker acting as a malicious peer can exploit the QUIC flow control mechanism by withholding flow control credit on the CONNECT stream. This prevents the transmission of the WT_CLOSE_SESSION capsule, which is responsible for signaling the closure of a WebTransport session. As a result, the session close operation hangs indefinitely, consuming resources and potentially leading to denial of service conditions. The attack requires no privileges or user interaction and can be executed remotely. The vulnerability does not impact confidentiality or integrity but affects availability by causing resource exhaustion or hanging of session closure processes. The issue was addressed and fixed in webtransport-go version 0.10.0 by ensuring proper handling of flow control and session closure. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to availability.

The primary impact of CVE-2026-21435 is denial of service through resource exhaustion or hanging of WebTransport session closure operations. Organizations running webtransport-go versions prior to 0.10.0 may experience degraded service availability or outages if targeted by attackers exploiting this vulnerability. This can affect web applications or services relying on WebTransport for real-time, low-latency communication, such as streaming, gaming, or interactive web apps. The inability to close sessions properly could lead to resource leaks, increased memory and CPU usage, and potential cascading failures in service infrastructure. While the vulnerability does not compromise data confidentiality or integrity, the availability impact can disrupt business operations, degrade user experience, and increase operational costs. The risk is heightened for high-traffic services or those exposed to untrusted peers over the internet. Since no authentication or user interaction is required, the attack surface is broad, increasing the likelihood of exploitation attempts in hostile environments.

The most effective mitigation is to upgrade webtransport-go to version 0.10.0 or later, where the vulnerability is fixed. For organizations unable to upgrade immediately, consider implementing network-level controls to restrict or monitor QUIC traffic from untrusted sources to reduce exposure. Rate limiting and connection throttling on QUIC streams may help mitigate resource exhaustion attempts. Implement robust monitoring and alerting for abnormal session durations or resource usage patterns indicative of hanging session closures. Employ WebTransport session management best practices, including timeouts and cleanup mechanisms to reclaim resources from stalled sessions. Additionally, ensure that infrastructure components such as load balancers and proxies support and correctly handle QUIC flow control to avoid exacerbating the issue. Regularly audit and update dependencies to incorporate security patches promptly. Finally, maintain incident response readiness to detect and respond to potential denial of service attempts exploiting this vulnerability.