CVE-2026-46679 Overview
CVE-2026-46679 is a high-severity denial-of-service vulnerability in the @libp2p/gossipsub component of the libp2p JavaScript networking stack. The flaw exists in all versions prior to 15.0.23. Three cooperating omissions in input validation allow a single unauthenticated peer to exhaust the Node.js heap of any gossipsub node running default configuration. The maintainers patched the issue in version 15.0.23. The vulnerability is tracked under [CWE-20] (Improper Input Validation) and affects the availability of any service relying on the affected gossipsub implementation.
Critical Impact
A single unauthenticated remote peer can exhaust the Node.js heap of any default-configured gossipsub node, causing process termination and denial of service across libp2p-based networks.
Affected Products
- js-libp2p versions prior to 15.0.23
- @libp2p/gossipsub running with default options
- Node.js applications and peer-to-peer services built on js-libp2p gossipsub pubsub
Discovery Timeline
- 2026-06-10 - CVE-2026-46679 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46679
Vulnerability Analysis
The vulnerability resides in the @libp2p/gossipsub module, a pubsub routing implementation used by js-libp2p peers to propagate messages across a mesh network. Three cooperating omissions in message validation and resource accounting let a single peer drive memory allocation without bound. Because gossipsub processes peer messages before authentication of the message contents, an attacker only needs network reachability to a target node to begin pushing it toward heap exhaustion.
The end result is a Node.js process that crashes once the V8 heap limit is reached. For peer-to-peer applications, blockchain validators, and decentralized storage nodes that rely on gossipsub for routing, this translates directly to node downtime and network instability.
Root Cause
The root cause is improper input validation [CWE-20] across three handling paths that, in combination, fail to bound the memory consumed by data accepted from a single peer. Each omission in isolation may be tolerable, but together they remove the limits that would normally cap peer-driven allocation under default options.
Attack Vector
Exploitation is performed remotely over the network. The attacker connects as a standard gossipsub peer, requires no privileges or user interaction, and sends crafted protocol messages that trigger the unbounded allocations. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-4f8r-922h-2vgv. No verified proof-of-concept code has been published.
Detection Methods for CVE-2026-46679
Indicators of Compromise
- Node.js processes terminating with FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory on gossipsub-enabled services
- Sustained growth of resident set size (RSS) on libp2p nodes correlated with inbound traffic from a single peer ID
- Abnormal volumes of gossipsub control messages (IHAVE, IWANT, GRAFT, PRUNE) from one or a small number of peers
Detection Strategies
- Inventory deployed js-libp2p and @libp2p/gossipsub versions across services and flag any release prior to 15.0.23.
- Instrument gossipsub nodes with per-peer message and byte counters to identify peers driving disproportionate allocation.
- Alert on Node.js heap usage approaching the configured --max-old-space-size limit on libp2p hosts.
Monitoring Recommendations
- Capture process restart events and out-of-memory kills for any host running a libp2p gossipsub service.
- Forward libp2p peer connection logs and gossipsub metrics to a centralized log platform for correlation across nodes.
- Track inbound peer churn and message rates to detect coordinated abuse against multiple nodes simultaneously.
How to Mitigate CVE-2026-46679
Immediate Actions Required
- Upgrade @libp2p/gossipsub and the parent js-libp2p stack to version 15.0.23 or later in all production and staging environments.
- Restart affected Node.js services after the upgrade to ensure the patched code path is loaded.
- Restrict inbound peer connectivity to known or rate-limited peers where the application architecture permits.
Patch Information
The maintainers fixed the issue in @libp2p/gossipsub shipped with js-libp2p version 15.0.23. Operators should update direct and transitive dependencies and rebuild applications. Patch details are documented in the GitHub Security Advisory GHSA-4f8r-922h-2vgv.
Workarounds
- Configure non-default gossipsub options that impose stricter per-peer message size, queue, and rate limits if immediate upgrade is not possible.
- Place gossipsub nodes behind connection allow-lists or peer scoring policies that disconnect peers exceeding resource thresholds.
- Set a conservative Node.js --max-old-space-size and run gossipsub services under a supervisor that restarts on OOM to limit downtime until patching completes.
# Upgrade js-libp2p and gossipsub to the patched release
npm install libp2p@latest @libp2p/gossipsub@^15.0.23
npm ls @libp2p/gossipsub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

