PatchSiren cyber security CVE debrief
CVE-2026-44697 klever-io CVE debrief
A remote, unauthenticated denial-of-service vulnerability exists in Klever-Go prior to version 1.7.17. The flaw resides in the `Batch.Decompress` function within `data/batch/batch.go`, where an attacker can trigger multi-gigabyte heap allocations on a receiving node by sending a crafted gossip payload of less than 50 KiB. A single malicious packet is sufficient to cause an out-of-memory (OOM) termination of a validator with standard memory provisioning. Successful exploitation at scale threatens chain liveness across the validator fleet. The vulnerability is classified under CWE-409 (Improper Handling of Highly Compressed Data) and CWE-770 (Allocation of Resources Without Limits or Throttling).
- Vendor
- klever-io
- Product
- klever-go
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Blockchain infrastructure operators running Klever-Go validator nodes, consensus protocol developers, and security teams responsible for distributed ledger technology deployments.
Technical summary
The vulnerability stems from insufficient input validation in the batch decompression logic. The `Batch.Decompress` function fails to enforce appropriate limits on decompressed data size, allowing a small compressed payload to expand to multi-gigabyte proportions. This is exploitable through the `MultiDataInterceptor` topic subscription mechanism, which processes gossip messages without adequate pre-validation. The attack vector is network-accessible, requires no authentication, and can be executed with minimal resources, making it suitable for widespread disruption of blockchain consensus operations.
Defensive priority
critical
Recommended defensive actions
- Upgrade Klever-Go to version 1.7.17 or later immediately
- Review and implement resource limits on decompression operations in `data/batch/batch.go`
- Monitor validator nodes for abnormal memory consumption patterns
- Apply network-level rate limiting on gossip protocol traffic where feasible
- Validate incoming batch data size before decompression to prevent unbounded memory allocation
Evidence notes
The vulnerability description and affected version information are derived from the official CVE record and NVD entry published 2026-05-29. The GitHub Security Advisory (GHSA-87m7-qffr-542v) provides the authoritative technical details regarding the vulnerable function and fix version.
Official resources
-
CVE-2026-44697 CVE record
CVE.org
-
CVE-2026-44697 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29