16 matches found
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt
Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil check. A protobuf Transaction whose embedded RawData...
GHSA-RM5C-5X2P-48WR Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt
Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil check. A protobuf Transaction whose embedded RawData...
GHSA-W342-MJ6G-V9C4 Klever-Go KVM: Hash-array amplification in P2P resolver request handling
Summary A connected peer can send a compressed RequestDataTypeHashArrayType direct request that is only 442 bytes on the wire but expands into 200000 decoded hash entries inside the resolver path. On klever-go v1.7.17, this allows remote memory and CPU amplification against nodes that accept P2P...
Klever-Go KVM: Hash-array amplification in P2P resolver request handling
Summary A connected peer can send a compressed RequestDataTypeHashArrayType direct request that is only 442 bytes on the wire but expands into 200000 decoded hash entries inside the resolver path. On klever-go v1.7.17, this allows remote memory and CPU amplification against nodes that accept P2P...
GHSA-74M6-4HJP-7226 Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS)
Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning guarded defer after StartProcessing, disabled when the asynchronous goroutine takes...
CVE-2026-52880
creationtimestamp| type| source ---|---|--- 2026-06-02 10:32:57+00:00| published-proof-of-concept| https://github.com/klever-io/klever-go/security/advisories/GHSA-w4c6-7r69-w7j9...
CVE-2026-49343
creationtimestamp| type| source ---|---|--- 2026-06-02 10:31:07+00:00| published-proof-of-concept| https://github.com/klever-io/klever-go/security/advisories/GHSA-fw38-pc54-jvx9...
CVE-2026-47249
creationtimestamp| type| source ---|---|--- 2026-06-02 10:30:29+00:00| published-proof-of-concept| https://github.com/klever-io/klever-go/security/advisories/GHSA-w342-mj6g-v9c4...
CVE-2026-44697
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on...
CVE-2026-44697
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on...
CVE-2026-44697
CVE-2026-44697 describes a remote denial-of-service in Klever-Go where a peer can cause a receiving node to allocate multi-gigabytes of heap from a sub-50 KiB compressed gossip payload. The root cause is an unbounded gzip decompression in Batch.Decompress (Batch.Stream) via Batch.Decompress/Batch...
CVE-2026-44697 Klever-Go MultiDataInterceptor: remote OOM via crafted compressed P2P payload
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on...
EUVD-2026-33375
Klever-Go is the Go implementation of the Klever blockchain protocol. Prior to 1.7.17, a remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on...
CVE-2026-46403
creationtimestamp| type| source ---|---|--- 2026-05-19 10:00:26+00:00| published-proof-of-concept| https://github.com/klever-io/klever-go/security/advisories/GHSA-jc6w-wmfc-fh33...
GHSA-87M7-QFFR-542V Klever-Go MultiDataInterceptor has remote OOM via crafted compressed P2P payload
Summary A remote, unauthenticated denial-of-service vulnerability in Batch.Decompress data/batch/batch.go allows any peer that participates in a topic served by MultiDataInterceptor to allocate multi-gigabyte heaps on the receiving node from a sub-50 KiB gossip payload. A single packet is...
CVE-2026-44697
creationtimestamp| type| source ---|---|--- 2026-05-11 19:17:38+00:00| published-proof-of-concept| https://github.com/klever-io/klever-go/security/advisories/GHSA-87m7-qffr-542v 2026-05-29 20:05:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmzdjdvunn2h 2026-05-30 20:01:25+00:0...