Primary

Context

webtransport-go Denial-of-Service Vulnerability via Flow Control Credit Withholding

Vulnerability

A denial-of-service vulnerability has been identified in webtransport-go, an implementation of the WebTransport protocol, in versions prior to v0.10.0. The issue arises when a malicious peer withholds QUIC flow control credit on the CONNECT stream, preventing the transmission of the WT_CLOSE_SESSION capsule, which is essential for properly closing a WebTransport session. As a result, the session closure operation can hang indefinitely.

Impact

Exploitation of this vulnerability leads to an indefinite blockage in the WebTransport session closure process, causing a denial-of-service condition.

Remediation

Users can upgrade to webtransport-go version v0.10.0 or later to address this vulnerability.

Added: Feb 12, 2026, 7:27 PM

Updated: Feb 12, 2026, 7:27 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.0

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.0

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

webtransport-go Denial-of-Service Vulnerability via Flow Control Credit Withholding

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating