CVE-2026-45783
Received Received - Intake
Disk Storage Exhaustion in libp2p Kad-DHT Node

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 16.2.6, an unauthenticated remote peer can exhaust the disk storage of any @libp2p/kad-dht node running in server mode by sending an unbounded stream of PUT_VALUE messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a crafted key are required. The victim node's datastore fills until the host disk is exhausted, making the node unavailable. This issue has been patched in version 16.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-45783
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
libp2p libp2p to 16.2.6 (exc)
libp2p kad-dht to 16.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libp2p, a JavaScript implementation of the libp2p networking stack, specifically in the @libp2p/kad-dht module running in server mode prior to version 16.2.6.

An unauthenticated remote peer can send an unlimited stream of PUT_VALUE messages with specially crafted keys that bypass all content validation.

Because there is no need for credentials, prior relationship, or protocol deviation beyond the crafted key, the victim node's datastore can be filled until the host's disk storage is exhausted.

This causes the node to become unavailable due to disk exhaustion.

Impact Analysis

The vulnerability can lead to a denial of service condition by exhausting the disk storage of any @libp2p/kad-dht node running in server mode.

An attacker can cause the victim node to become unavailable by filling its datastore with unbounded PUT_VALUE messages.

This can disrupt services relying on the affected node, potentially causing downtime and loss of availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade the @libp2p/kad-dht node to version 16.2.6 or later, where the issue has been patched.

Compliance Impact

The vulnerability allows an unauthenticated remote peer to exhaust the disk storage of a libp2p kad-dht node running in server mode by sending unbounded PUT_VALUE messages. This results in denial of service by making the node unavailable.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, the denial of service caused by disk exhaustion could impact availability requirements under these regulations.

However, since there is no direct compromise of confidentiality or integrity of data, the impact on compliance with data protection regulations is limited to availability concerns.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45783. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart