How is CVE-2026-45783 exploited?

Network reachability (required): The attacker must reach the target node's kad-dht server port over the network; no local or physical access is needed. Authentication (not-required): No credentials, account, or prior relationship with the target node are required to send PUT_VALUE messages. Victim interaction (not-required): The attack is fully automated against the listening service; no user needs to click, open, or approve anything. Attack complexity (info): Exploitation is reliable and condition-free: the attacker simply sends a crafted stream of PUT_VALUE messages with keys that bypass content validation, with no race conditions or memory-layout dependencies.

What is the impact of CVE-2026-45783?

Fills the host disk of the targeted kad-dht server node until no free space remains. Crashes or stalls the affected libp2p node, making it unable to participate in the DHT overlay network. Any other services or processes sharing the same host disk become unable to write data, which can cascade into broader host instability.

Back to search

HIGHCVE-2026-45783Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-45783: libp2p: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Unvalidated PUT_VALUE records in libp2p's JavaScript implementation allow an unauthenticated remote peer to flood the disk storage of any @libp2p/kad-dht node running in server mode. The attack is reachable over the network with no credentials, no prior relationship, and no protocol deviation beyond a crafted key. A successful attack fills the node's datastore until the host disk is exhausted, rendering the node unavailable. A patched-image rebuild at version 16.2.6 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-45783 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle js-libp2p as a dependency.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine priority. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available

Patch

Because a fix exists at js-libp2p 16.2.6, a patched-image rebuild at that version becomes available on HarborGuard the moment the upstream package is resolvable. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target node's kad-dht server port over the network; no local or physical access is needed.
AuthenticationNot required
No credentials, account, or prior relationship with the target node are required to send PUT_VALUE messages.
Victim interactionNot required
The attack is fully automated against the listening service; no user needs to click, open, or approve anything.
Attack complexityDetail
Exploitation is reliable and condition-free: the attacker simply sends a crafted stream of PUT_VALUE messages with keys that bypass content validation, with no race conditions or memory-layout dependencies.

Blast Radius

Fills the host disk of the targeted kad-dht server node until no free space remains.
Crashes or stalls the affected libp2p node, making it unable to participate in the DHT overlay network.
Any other services or processes sharing the same host disk become unable to write data, which can cascade into broader host instability.

How HarborGuard Handles This

Available on HarborGuard: once js-libp2p 16.2.6 is resolvable from the upstream registry, a patched-image rebuild at that version is available for any customer image found to contain an affected release of @libp2p/kad-dht. For customers with auto-remediation enabled, HarborGuard can trigger the rebuild, execute the configured regression-test suite, and open a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Until a patched image is deployed, compensating controls worth considering include network-policy rules that restrict inbound DHT traffic to known peer sets, egress filtering to limit amplification surface, and switching affected nodes from server mode to client mode where the application architecture permits it. HarborGuard re-checks the advisory each ingest cycle and will surface the rebuild automatically the moment the fix is confirmed available upstream.

See how HarborGuard automates this

Affected packages

libp2p / js-libp2p
< 16.2.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr

Metrics

Get notified