关键漏洞信息 CVE ID: CVE-2026-21435 CVSS v3 Severity: Moderate (5.3/10) Affected Package: https://github.com/quic-go/webtransport-go (Go) Affected Versions: <=v0.9.0 Patched Versions: v0.10.0 Summary An attacker can exploit this vulnerability to cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. This is achieved by withholding QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. Details In affected versions, the closure procedure blocks indefinitely while waiting for sufficient QUIC flow control credit from the peer. A malicious peer can exploit this by withholding the necessary credit, thereby preventing the capsule from being sent. The Fix The patched version introduces a short deadline for sending the WT_CLOSE_SESSION capsule. If the capsule cannot be sent within this deadline, the CONNECT stream is reset, allowing the WebTransport session to close promptly without sending optional error details. This prevents indefinite blocking on session closure.