How is CVE-2026-46679 exploited?

Network reachability (required): The attacker must reach the target gossipsub node over the network; the service must be reachable from an external or peer-connected position. Authentication (not-required): No credentials or account are needed; the attack can be launched by any unauthenticated peer that can establish a connection. Victim interaction (not-required): No user or operator action is required; the attacker triggers heap exhaustion entirely through network-level peer messaging. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access.

What is the impact of CVE-2026-46679?

Crashes the Node.js process hosting the gossipsub node, taking down all peer-to-peer networking functions it provides. A single attacking peer is sufficient to exhaust available heap memory, so no botnet or coordinated source is needed. Recovery requires a process restart, creating a repeatable availability outage if the attacker remains reachable. No confidential data is read and no stored data is modified; impact is limited to service availability.

Back to search

HIGHCVE-2026-46679Published 2026-06-10Modified 2026-06-11CNA GitHub_M

CVE-2026-46679: libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A memory exhaustion vulnerability (Denial of Service via subscription flood) affects the JavaScript implementation of the libp2p networking stack, specifically the @libp2p/gossipsub component in js-libp2p versions prior to 15.0.23. The flaw is reachable over the network without any authentication, and three cooperating omissions in gossipsub's subscription handling allow a single unauthenticated peer to exhaust the Node.js heap of the target node. Successful exploitation crashes the affected gossipsub node, causing a complete loss of availability. A patched-image rebuild at version 15.0.23 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle js-libp2p or @libp2p/gossipsub. Any image containing a version of js-libp2p below 15.0.23 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine breach of threshold and urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild targeting js-libp2p 15.0.23 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target gossipsub node over the network; the service must be reachable from an external or peer-connected position.
AuthenticationNot required
No credentials or account are needed; the attack can be launched by any unauthenticated peer that can establish a connection.
Victim interactionNot required
No user or operator action is required; the attacker triggers heap exhaustion entirely through network-level peer messaging.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access.

Blast Radius

Crashes the Node.js process hosting the gossipsub node, taking down all peer-to-peer networking functions it provides.
A single attacking peer is sufficient to exhaust available heap memory, so no botnet or coordinated source is needed.
Recovery requires a process restart, creating a repeatable availability outage if the attacker remains reachable.
No confidential data is read and no stored data is modified; impact is limited to service availability.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory publication, matching any image that packages js-libp2p below 15.0.23 against this CVE. Because a fix version (15.0.23) exists, a patched-image rebuild is immediately available. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the fixed version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy or network architecture permits, isolating gossipsub listener ports via Kubernetes NetworkPolicy to restrict inbound peer connections serves as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Affected packages

libp2p / js-libp2p
< 15.0.23

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/libp2p/js-libp2p/security/advisories/GHSA-4f8r-922h-2vgv

Metrics

Get notified