Klever, Denial-of-Service (DoS), CVE-2026-XXXXX (Critical)

Listen to this Post

How the CVE Works

The core of this vulnerability resides in `decompressGzip` (located in data/batch/batch.go:35-53), which uses `io.ReadAll` without limiting the size of the decompressed data. An attacker creates a small gzip payload that expands to hundreds of megabytes or even gigabytes when decompressed.
A malicious peer simply crafts a `Batch` message where the `IsCompressed` flag is set to `true` and includes this bomb in the `Stream` field. The receiver’s `MultiDataInterceptor.ProcessReceivedMessage` calls Batch.Decompress, which triggers the unbounded decompressGzip.
The anti-flood checks are only applied after the decompression completes, so they offer no protection. As a result, a single 48 KiB network packet can consume over 2 GiB of heap memory on the target node. This leads directly to an OOM (Out‑of‑Memory) kill of the process.
Because the vulnerability is triggered before any signature verification or peer reputations, the attacker does not need to be a trusted validator. A single connected peer can repeatedly send these bombs and take down a node within seconds.

Platform: Klever
Version: commit 405d01b0abbf0d3e73b4a990bd7394a01f200dc2
Vulnerability : Decompression bomb
Severity: Critical
date: 2026-05-13
Prediction: 2026-01-15

Analytics under heading What Undercode Say

Simulate the attack using the provided test
go test -v -count=1 -timeout=120s -run TestC2 ./playground/p2pflood/...
Monitor heap usage on a live node (Linux)
while true; do
echo "$(date) – HeapAlloc: $(go tool pprof -text /path/to/binary http://localhost:6060/debug/pprof/heap | grep 'Total' | awk '{print $2}')"
sleep 1
done
Check for OOM events
dmesg | grep -i "Out of memory" | tail -5

Exploit

The complete Go‑language proof‑of‑concept (PoC) included in the advisory (playground/p2pflood/c2_decompression_bomb_test.go) demonstrates two variants:
1. Raw zeros bomb – a 256 MiB all‑zero gzip stream that forces the receiver to allocate ~847 MiB of heap.
2. Valid inner batch – a 25 million‑entry empty slice, compressed to 48 KiB on the wire, which expands to ~2 GiB of heap after decompression and unmarshalling.
Both tests run against the actual `data/batch.Batch.Decompress` function and use the production factory.ProtoMarshalizer.

Protection from this CVE

Apply the patch that introduces a hard size cap (e.g., 64 MiB) inside `decompressGzip` by wrapping the `gzip.Reader` with io.LimitReader. The fix also validates `ba.DataSize` before decompression and rejects any batch that exceeds the configured limit.
No configuration‑only workaround exists: lowering `peerMaxInput.totalSizePerInterval` cannot stop a single bomb. Upgrade to the patched release (rc2 or later) as soon as it is available.

Impact

A single malicious peer can OOM‑kill any validator or full node that subscribes to any gossip topic served by MultiDataInterceptor. Because the attack uses a sub‑50 KiB packet, it can be repeated many times per second, quickly taking down the entire validator fleet and halting blockchain production.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top