CVE-2026-21438 is a vulnerability identified in the webtransport-go library, an implementation of the WebTransport protocol used for multiplexed, bidirectional communication over QUIC. Prior to version 0.10.0, the library contains a memory management flaw where closed WebTransport streams are not properly removed from an internal session map. This omission prevents the garbage collector from reclaiming memory associated with these streams, leading to unbounded memory growth. An attacker can exploit this by repeatedly creating and closing WebTransport streams, causing the application to consume increasing amounts of memory until exhaustion occurs. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-459 (Incomplete Cleanup). It does not require authentication or user interaction and can be triggered remotely over the network. The impact is primarily a denial of service condition due to resource exhaustion, with no direct compromise of confidentiality or integrity. The issue was publicly disclosed and assigned CVE-2026-21438 with a CVSS v3.1 base score of 5.3 (medium severity). The fix involves proper removal of closed streams from the session map to allow garbage collection, implemented in webtransport-go version 0.10.0.

The primary impact of this vulnerability is a denial of service (DoS) through unbounded memory consumption. Attackers can exploit this flaw remotely without authentication or user interaction, making it relatively easy to trigger. Organizations running services that utilize vulnerable versions of webtransport-go may experience degraded performance or crashes due to memory exhaustion, potentially disrupting critical communications or applications relying on WebTransport. This can affect service availability and reliability, leading to operational downtime and potential financial losses. While the vulnerability does not expose sensitive data or allow unauthorized data modification, the disruption of service can have cascading effects, especially in environments where WebTransport is used for real-time or critical data transport. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and medium severity score warrant prompt mitigation.

The most effective mitigation is to upgrade all instances of webtransport-go to version 0.10.0 or later, where the vulnerability is fixed. For organizations unable to upgrade immediately, implementing resource limits on memory usage per session or stream can help contain the impact. Monitoring tools should be configured to detect abnormal memory growth patterns indicative of exploitation attempts. Network-level protections such as rate limiting or filtering suspicious traffic patterns targeting WebTransport endpoints can reduce exposure. Additionally, applying application-layer controls to limit the number of streams created per client or session can prevent abuse. Regularly auditing dependencies and maintaining an up-to-date inventory of software versions will facilitate timely patching. Finally, incorporating fuzz testing and memory profiling in development cycles can help identify similar issues proactively.