PT-2026-40590 · Klever-Go · Klever-Go

Fbsobreira

·

Published

2026-05-13

·

Updated

2026-06-25

·

CVE-2026-44697

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Klever-Go versions prior to 1.7.17
Description A remote, unauthenticated denial-of-service issue exists in the Batch.Decompress function within data/batch/batch.go. This allows any peer participating in a topic served by MultiDataInterceptor to trigger multi-gigabyte heap allocations on a receiving node using a gossip payload smaller than 50 KiB. The issue stems from an unbounded io.ReadAll operation in the decompressGzip function and a lack of validation for the ba.DataSize variable during decompression. A single malicious packet can cause a validator to crash due to out-of-memory (OOM) conditions, and a fleet-wide attack can compromise chain liveness.
Recommendations Update to version 1.7.17.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44697
GHSA-87M7-QFFR-542V
GO-2026-5246

Affected Products

Klever-Go