CVE-2026-21435

{"id": "CVE-2026-21435", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-12T19:15:51.503", "references": [{"url": "https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/quic-go/webtransport-go/security/advisories/GHSA-px4r-g4p3-hhqv", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0."}, {"lang": "es", "value": "webtransport-go es una implementaci\u00f3n del protocolo WebTransport. Antes de la v0.10.0, un atacante puede causar una denegaci\u00f3n de servicio en webtransport-go al impedir o retrasar indefinidamente el cierre de la sesi\u00f3n WebTransport. Un par malicioso puede retener el cr\u00e9dito de control de flujo QUIC en el flujo CONNECT, bloqueando la transmisi\u00f3n de la c\u00e1psula WT_CLOSE_SESSION y haciendo que la operaci\u00f3n de cierre se cuelgue. Esta vulnerabilidad est\u00e1 corregida en la v0.10.0."}], "lastModified": "2026-02-19T22:51:49.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D64C55F6-7FB5-4D98-9E14-99F89DD9F3E4", "versionEndExcluding": "0.10.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}