PT-2026-40590 · Klever-Go · Klever-Go
Fbsobreira
·
Published
2026-05-13
·
Updated
2026-06-25
·
CVE-2026-44697
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Klever-Go versions prior to 1.7.17
Description
A remote, unauthenticated denial-of-service issue exists in the
Batch.Decompress function within data/batch/batch.go. This allows any peer participating in a topic served by MultiDataInterceptor to trigger multi-gigabyte heap allocations on a receiving node using a gossip payload smaller than 50 KiB. The issue stems from an unbounded io.ReadAll operation in the decompressGzip function and a lack of validation for the ba.DataSize variable during decompression. A single malicious packet can cause a validator to crash due to out-of-memory (OOM) conditions, and a fleet-wide attack can compromise chain liveness.Recommendations
Update to version 1.7.17.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Klever-Go