CVE-2026-44697: Klever-Go Remote Denial-of-Service via Decompression Bomb
Klever-Go versions prior to 1.7.17 contain a remote denial-of-service flaw that allows any network participant to crash validator nodes by sending a single, small network message (under 50 KB). The vulnerable code mishandles decompression of batched data, causing the receiving node to allocate multiple gigabytes of memory unexpectedly, leading to out-of-memory crashes. Because validators are critical to blockchain operation, an attacker can disrupt the entire Klever network's ability to process transactions and reach consensus. The attack requires no authentication and can be executed from any peer on the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-409, CWE-770
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in Batch.Decompress within data/batch/batch.go and is triggered when a node receives a gossip message on a topic served by MultiDataInterceptor. The decompression logic fails to validate or bound the output size of decompressed data, allowing an attacker to craft a payload that expands from sub-50 KiB input to multi-gigabyte heap allocations. This represents a classic zip-bomb or decompression bomb attack vector. The flaw is categorized as an improper resource allocation issue (CWE-409) combined with uncontrolled resource consumption (CWE-770). Because the Klever protocol uses gossip-based message propagation, any peer—including malicious or compromised ones—can inject the malicious payload to any listening node.
Business impact
For Klever network operators and validators, this vulnerability creates immediate operational risk. A single attacker can selectively target and crash individual validator nodes, degrading network throughput or triggering consensus failures if enough validators are affected. In a coordinated attack, an adversary could destabilize chain liveness, preventing block production and transaction finality. This is particularly severe for networks where validator count is modest or geographically concentrated. Organizations running Klever infrastructure face potential service interruptions, missed block rewards, and reputational damage. The attack surface is broad: any node accepting gossip messages is vulnerable, making network-wide mitigation difficult without patching.
Affected systems
Klever-Go prior to version 1.7.17 is affected. This includes all validator and full-node deployments running vulnerable versions. Any infrastructure dependent on Klever consensus or data availability is in scope. Environments with standard memory provisioning (e.g., 4–32 GB per node) are particularly exposed, as a single malicious payload can exhaust available heap and trigger OOM-kill. Testnet, stagenet, and mainnet deployments are equally vulnerable.
Exploitability
Exploitability is very high. The attack is trivial to execute: craft a sub-50 KiB payload with a decompression bomb pattern and broadcast it to the Klever gossip network. No authentication, credentials, or privileged network access is required. Any peer connected to the network can send the payload. A single packet is sufficient to crash a target node. The barrier to weaponization is negligible, and no specialized tools are needed. The impact is immediate and deterministic.
Remediation
Upgrade Klever-Go to version 1.7.17 or later. This version contains a fix that properly validates or bounds decompressed data size, preventing unbounded heap allocation. Operators should prioritize this upgrade as critical. Before upgrading, consider temporary mitigations such as adjusting ulimits to constrain per-process memory, implementing ingress-level gossip filtering (if feasible), or temporarily isolating nodes from untrusted peers—though these do not address the root cause.
Patch guidance
Review your Klever-Go deployment version immediately. If running 1.7.16 or earlier, schedule an urgent upgrade to 1.7.17. Verify the patch version against official Klever release notes and checksums to ensure authenticity. For large deployments, coordinate a rolling upgrade strategy to maintain network stability during the transition. Test the upgrade in a staging environment first, particularly if you run custom configurations or integrations. After patching, monitor node memory usage and crash logs to confirm the issue is resolved.
Detection guidance
Monitor validator and node memory consumption for sudden spikes or out-of-memory events. Enable verbose logging in Batch.Decompress or the gossip layer to detect unusual decompression patterns or oversized payloads. Network-level detection is challenging without deep packet inspection, but anomalous gossip message sizes or patterns from specific peers may warrant investigation. Correlate node crashes with timestamp-aligned gossip traffic to identify potential attack sources. Post-upgrade, such spikes should no longer occur; their presence indicates an unpatched or compromised node.
Why prioritize this
This vulnerability merits immediate patching because it enables trivial, network-wide denial-of-service of blockchain consensus infrastructure. The combination of ease of exploitation (no authentication, single packet), high impact (node crash, chain liveness loss), and broad attack surface (any gossip peer) makes it a critical risk. The CVSS 8.6 HIGH score reflects the severity. Operators of Klever validators and full nodes should treat this as P0 or P1 depending on their infrastructure SLA.
Risk score, explained
CVSS 3.1 score of 8.6 (HIGH) is driven by network-adjacent attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), and scope change (S:C) reflecting impact to network-wide consensus. The scoring emphasizes high availability impact (A:H) with no confidentiality or integrity loss. The score appropriately captures the operational severity while acknowledging that direct data breach or system compromise is not the threat model here.
Frequently asked questions
Can this vulnerability be exploited from outside the Klever network, or only from peers already connected?
Any network peer that can reach the Klever gossip network—either by being a full peer node or by sending packets to listening peers—can exploit this. Firewall rules that restrict network access to trusted peers can reduce exposure, but do not eliminate it if any trusted peer is compromised.
If I isolate my validator node from the wider network, am I protected?
Isolation reduces exposure but is not a practical long-term solution. Validators must participate in gossip to reach consensus and receive transactions. The proper fix is to upgrade to 1.7.17. Temporary network segmentation may be useful during a rolling upgrade, but it should not delay patching.
How quickly can this be exploited at scale?
Very quickly. An attacker with a single node on the network can crash multiple validators in seconds by sending multiple payloads in parallel. Coordinated attacks across many victim nodes are feasible, potentially triggering a chain-wide outage if a quorum of validators is affected.
Does this vulnerability affect Klever wallets or light clients?
Light clients or wallets that do not participate in gossip or do not decompress batch data are not directly affected. Impact is primarily to full nodes and validators. Verify your client's architecture against the affected component (Batch.Decompress in data/batch/batch.go).
This analysis is based on publicly available vulnerability data and the vendor's advisory. Specific configuration impacts, network topology factors, and custom integrations may vary your risk profile. Always verify patch availability and compatibility in your environment before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis for your specific use case. Consult Klever's official security advisories and your infrastructure team before taking remediation action. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-46638HIGHDell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2
- CVE-2026-34077HIGHReact Router XSS in RSC Redirect Handling – Patch Guidance
- CVE-2026-46599HIGHTIFF PackBits Decoder Denial of Service Vulnerability
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability