HIGH
klever-io
CVE published 2026-05-29
CVE-2026-44697
A remote, unauthenticated denial-of-service vulnerability exists in Klever-Go prior to version 1.7.17. The flaw resides in the `Batch.Decompress` function within `data/batch/batch.go`, where an attacker can trigger multi-gigabyte heap allocations on a receiving node by sending a crafted gossip payload of less than 50 KiB. A single malicious packet is sufficient to cause an out-of-memory (OOM) termination [truncated]