CVE-2026-45783
Deferred Deferred - Pending Action

Disk Storage Exhaustion in libp2p Kad-DHT Node

Vulnerability report for CVE-2026-45783, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
libp2p libp2p to 16.2.6 (exc)
libp2p kad-dht to 16.2.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated remote peer to exhaust the disk storage of a libp2p kad-dht node running in server mode by sending unbounded PUT_VALUE messages. This results in denial of service by making the node unavailable.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the denial of service caused by disk exhaustion could impact availability requirements under these regulations.

However, since there is no direct compromise of confidentiality or integrity of data, the impact on compliance with data protection regulations is limited to availability concerns.

Executive Summary

This vulnerability exists in libp2p, a JavaScript implementation of the libp2p networking stack, specifically in the @libp2p/kad-dht module running in server mode prior to version 16.2.6.

An unauthenticated remote peer can send an unlimited stream of PUT_VALUE messages with specially crafted keys that bypass all content validation.

Because there is no need for credentials, prior relationship, or protocol deviation beyond the crafted key, the victim node's datastore can be filled until the host's disk storage is exhausted.

This causes the node to become unavailable due to disk exhaustion.

Impact Analysis

The vulnerability can lead to a denial of service condition by exhausting the disk storage of any @libp2p/kad-dht node running in server mode.

An attacker can cause the victim node to become unavailable by filling its datastore with unbounded PUT_VALUE messages.

This can disrupt services relying on the affected node, potentially causing downtime and loss of availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the @libp2p/kad-dht node to version 16.2.6 or later, where the issue has been patched.

Detection Guidance

This vulnerability can be detected by monitoring for an unusually high volume of PUT_VALUE messages sent to any @libp2p/kad-dht node running in server mode. Specifically, look for streams of messages with keys that bypass normal content validation, especially keys with fewer than three slash-delimited parts.

Since the attack involves sending large numbers of PUT_VALUE RPC messages (each up to 4 MB) potentially over multiple concurrent streams (up to 32), network traffic analysis tools can be used to detect abnormal traffic patterns targeting the DHT server nodes.

Suggested commands or approaches include:

  • Use packet capture tools like tcpdump or Wireshark to filter and analyze traffic on the ports used by libp2p nodes, looking for excessive PUT_VALUE RPC messages.
  • Example tcpdump command to capture traffic on the default libp2p port (replace <port> with actual port): tcpdump -i <interface> port <port> -w capture.pcap
  • Analyze captured traffic for repeated PUT_VALUE messages with keys that do not conform to expected validation rules (e.g., keys with fewer than three slash-delimited parts).
  • Monitor disk usage on the node hosting the @libp2p/kad-dht server for rapid increases that could indicate disk exhaustion attacks.
  • Use application-level logging or debugging features in libp2p to log incoming PUT_VALUE requests and inspect for abnormal patterns.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart