Description
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17.
Published: 2026-05-29
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Klever‑Go, the Go implementation of the Klever blockchain protocol, contains an unauthenticated denial‑of‑service flaw in its Batch.Decompress function. By sending a small (sub‑50 KiB) gossip packet that is compressed for the MultiDataInterceptor, an attacker can cause the receiving node to allocate multi‑gigabyte heap memory, leading to an out‑of‑memory (OOM) crash. The high CVSS score of 8.6 reflects the severity of the impact, depriving validators of processing capacity and destabilising chain liveness.

Affected Systems

The vulnerability affects all Klever‑io Klever‑Go deployments running any version prior to 1.7.17. Any validator or node that accepts gossip traffic on a topic served by the MultiDataInterceptor is susceptible, regardless of the node’s role within the network.

Risk and Exploitability

The CVSS score indicates a high‑severity weakness, but the EPSS score is unavailable, so the likelihood of exploitation in the wild is indeterminate. The flaw is listed as not part of the CISA KEV catalog. Attackers can trigger the issue remotely, without authentication, by injecting a crafted packet over the gossip network; therefore any node exposed to untrusted peers is a potential target.

Generated by OpenCVE AI on May 29, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Klever‑Go instances to version 1.7.17 or newer so that the Batch.Decompress routine no longer allocates unbounded memory.
  • After upgrading, restart the nodes and verify that the node remains responsive under normal gossip traffic.
  • If immediate upgrade is not feasible, restrict inbound gossip traffic to trusted peers or apply a firewall rule that limits connections until the patch can be applied.

Generated by OpenCVE AI on May 29, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87m7-qffr-542v Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload
History

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17.
Title Klever-Go MultiDataInterceptor: remote OOM via crafted compressed P2P payload
Weaknesses CWE-409
CWE-770
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T17:14:43.465Z

Reserved: 2026-05-07T17:07:09.316Z

Link: CVE-2026-44697

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T18:17:09.697

Modified: 2026-05-29T18:17:09.697

Link: CVE-2026-44697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses