How is CVE-2026-44697 exploited?

Network reachability (required): The attacker must reach the victim node over the P2P network as a peer in a topic served by MultiDataInterceptor. Authentication (not-required): Any unauthenticated peer participating in the gossip topic can send the malicious payload; no account or credential is needed. Victim interaction (not-required): No operator or user action is needed; the receiving node processes the gossip packet automatically. Attack complexity (info): AC:L indicates the exploit is reliable and condition-free; a single sub-50 KiB packet is sufficient.

What is the impact of CVE-2026-44697?

Crashes the affected klever-go validator process via out-of-memory kill from a single crafted gossip packet. Disrupts chain liveness when the attack is applied across many peers in the network, since validators fleet-wide can be downed in parallel. Leaves stored data and on-chain state untouched (C:N/I:N), so the impact is purely availability, not disclosure or tampering.

Back to search

HIGHCVE-2026-44697Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-44697: Klever-Go MultiDataInterceptor: remote OOM via crafted compressed P2P payload

Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress (data/batch/batch.go) allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is sufficient to OOM-kill a validator with conventional memory provisioning. Fleet-wide application affects chain liveness. This vulnerability is fixed in 1.7.17.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a remote denial-of-service flaw in Klever-Go, the Go implementation of the Klever blockchain protocol. The Batch.Decompress routine in data/batch/batch.go expands a sub-50 KiB gossip payload into a multi-gigabyte heap allocation, so any peer in a topic served by MultiDataInterceptor can send one crafted packet over the network without authentication and OOM-kill a validator, and a fleet-wide attack threatens chain liveness. The advisory lists 1.7.17 as the fixed release, and a patched-image rebuild at that version is available on HarborGuard for environments running an affected build.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against klever-go binaries and images in customer registries and CI pipelines. Coverage extends to custom-built images that vendor or rebuild klever-go from source.

Available

Triage

Triage is available with the published CVSS 8.6 (High) score weighted by each customer organization's compliance policy, so blockchain validator workloads and other production node images can be prioritized higher than non-runtime artifacts. Findings route to the right inbox inside each customer org based on image ownership and topic.

Available

Patch

A patched-image rebuild at klever-go 1.7.17 is available on HarborGuard for affected environments. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the victim node over the P2P network as a peer in a topic served by MultiDataInterceptor.
AuthenticationNot required
Any unauthenticated peer participating in the gossip topic can send the malicious payload; no account or credential is needed.
Victim interactionNot required
No operator or user action is needed; the receiving node processes the gossip packet automatically.
Attack complexityDetail
AC:L indicates the exploit is reliable and condition-free; a single sub-50 KiB packet is sufficient.

Blast Radius

Crashes the affected klever-go validator process via out-of-memory kill from a single crafted gossip packet.
Disrupts chain liveness when the attack is applied across many peers in the network, since validators fleet-wide can be downed in parallel.
Leaves stored data and on-chain state untouched (C:N/I:N), so the impact is purely availability, not disclosure or tampering.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at klever-go 1.7.17 for environments still running an affected build. For customers who opt into auto-remediation, the rebuild is generated, the regression suite is run, and a PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is not enabled, the patched image is published to the customer's registry and the finding is routed to the owning team for manual rollout, with compensating controls such as restricting P2P peering to known validators and tightening per-node memory limits suggested in the finding detail.

See how HarborGuard automates this

CVSS v3.1: 8.6
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

klever-io / klever-go
< 1.7.16

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

References

https://github.com/klever-io/klever-go/security/advisories/GHSA-87m7-qffr-542v