{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T04:25:31.954","vulnerabilities":[{"cve":{"id":"CVE-2026-21434","sourceIdentifier":"security-advisories@github.com","published":"2026-02-12T19:15:51.333","lastModified":"2026-02-19T22:53:24.643","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is fixed in 0.10.0."},{"lang":"es","value":"webtransport-go es una implementación del protocolo WebTransport. Desde 0.3.0 hasta 0.9.0, un atacante puede causar un consumo excesivo de memoria en la implementación de sesión de webtransport-go al enviar una cápsula WT_CLOSE_SESSION que contiene un Mensaje de Error de Aplicación excesivamente grande. La implementación no aplica el límite de 1024 bytes exigido por el borrador en este campo, lo que permite a un par enviar una carga útil de mensaje arbitrariamente grande que se lee y almacena completamente en memoria. Esto permite a un atacante consumir una cantidad arbitraria de memoria. El atacante debe transmitir la carga útil completa para lograr el consumo de memoria, pero la falta de cualquier límite superior hace que los ataques a gran escala sean factibles dado un ancho de banda suficiente. Esta vulnerabilidad está corregida en 0.10.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-770"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:quic-go:webtransport-go:*:*:*:*:*:go:*:*","versionStartIncluding":"0.3.0","versionEndExcluding":"0.10.0","matchCriteriaId":"655FC296-1611-47D3-A71F-E5C093D2F463"}]}]}],"references":[{"url":"https://github.com/quic-go/webtransport-go/releases/tag/v0.10.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/quic-go/webtransport-go/security/advisories/GHSA-g6x7-jq8p-6q9q","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}