CVE-2026-46679

Summary

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23.

Affected Software

VendorProductVersion RangeStatus
libp2pjs-libp2p< 15.0.23affected

Weaknesses

  • CWE-20: CWE-20: Improper Input Validation
  • CWE-400: CWE-400: Uncontrolled Resource Consumption
  • CWE-401: CWE-401: Missing Release of Memory after Effective Lifetime

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

Additional References

References