CVE-2026-21438 is a memory management vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) and CWE-459 (Incomplete Cleanup). The flaw exists in the webtransport-go implementation of the WebTransport protocol, a transport layer protocol designed for multiplexed, bidirectional communication over HTTP/3. In versions prior to 0.10.0, when WebTransport streams are closed, their references remain in an internal session map, preventing the Go runtime's garbage collector from reclaiming the associated memory. An attacker can exploit this by rapidly creating and closing many WebTransport streams, causing the server's memory consumption to grow without bound. This can lead to resource exhaustion, degraded performance, or denial of service (DoS). The vulnerability is remotely exploitable without authentication or user interaction, as it only requires network access to the WebTransport service. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the impact on availability only, with no confidentiality or integrity compromise. No known exploits are currently reported in the wild. The issue was publicly disclosed and fixed in version 0.10.0 of webtransport-go, which properly removes closed streams from the session map, allowing garbage collection to free memory. Organizations using webtransport-go versions before 0.10.0 should prioritize patching to prevent potential DoS attacks.

For European organizations, this vulnerability primarily threatens the availability of services that utilize the webtransport-go implementation of the WebTransport protocol. If exploited, attackers can induce unbounded memory consumption leading to server crashes or severe performance degradation, resulting in denial of service. This can disrupt critical web applications, real-time communication platforms, or any service relying on WebTransport for multiplexed streaming. The impact is particularly significant for organizations running public-facing services or those with high traffic volumes, as attackers can remotely trigger the vulnerability without authentication. While confidentiality and integrity remain unaffected, service downtime can lead to operational disruptions, customer dissatisfaction, and potential financial losses. Additionally, organizations in regulated sectors such as finance, healthcare, or critical infrastructure may face compliance risks if service availability is compromised. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as awareness and tooling improve.

The primary mitigation is to upgrade all instances of webtransport-go to version 0.10.0 or later, where the vulnerability is fixed by properly removing closed streams from the internal session map to enable garbage collection. Organizations should audit their software dependencies to identify any usage of vulnerable webtransport-go versions. Implementing resource monitoring and alerting for abnormal memory usage patterns on servers running WebTransport services can provide early detection of exploitation attempts. Rate limiting or connection throttling on WebTransport endpoints can reduce the risk of rapid stream creation and closure abuse. Network-level protections such as Web Application Firewalls (WAFs) or intrusion prevention systems (IPS) should be configured to detect and block suspicious traffic patterns targeting WebTransport streams. Additionally, applying general best practices for memory management and service resilience, such as container resource limits and automatic restarts, can mitigate impact. Finally, maintain awareness of updates from the quic-go project and related security advisories to promptly address any future vulnerabilities.