CVE-2026-49866
Received Received - Intake

Memory Exhaustion in libp2p Due to Unlimited Message IDs

Vulnerability report for CVE-2026-49866, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to 16.0.0, @libp2p/gossipsub defaultDecodeRpcLimits set maxIhaveMessageIDs and maxIwantMessageIDs to Infinity, allowing oversized IHAVE and IWANT control message arrays in message/decodeRpc.ts and gossipsub.ts to synchronously iterate roughly 180,000 message IDs per 4 MB frame and block the Node.js event loop. This issue is fixed in version 16.0.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libp2p libp2p 16.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the libp2p JavaScript networking stack prior to version 16.0.0. The defaultDecodeRpcLimits configuration in @libp2p/gossipsub set the maximum number of IHAVE and IWANT message IDs to Infinity. This allowed attackers to send oversized IHAVE and IWANT control message arrays, which caused the system to synchronously iterate over roughly 180,000 message IDs per 4 MB frame. This iteration blocks the Node.js event loop, leading to a denial of service.

Mitigation Strategies

To mitigate this vulnerability, upgrade the libp2p package to version 16.0.0 or later, where the issue with oversized IHAVE and IWANT control message arrays causing Node.js event loop blocking has been fixed.

Impact Analysis

The vulnerability can cause a denial of service (DoS) by blocking the Node.js event loop. When oversized IHAVE and IWANT message arrays are processed, the event loop is synchronously blocked, which can halt the application's ability to handle other tasks or requests. This can lead to application unavailability or degraded performance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart