CVE-2026-49343

MEDIUMPre-NVD 5.95.9
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.9 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 84% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
5.9
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 5.9Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS

Summary

The account-data trie syncers leak bounded throttler slots on error paths in syncDataTrie(). Each failed trie sync permanently consumes one slot from the NumGoRoutinesThrottler, and the slot is never returned unless the sync succeeds or the root hash was already present.

I confirmed this on the current default branch develop at commit 9640d63 (observed on May 20, 2026). I also confirmed the bug with a runtime PoC using the real timeout path in trieSyncer.StartSyncing(): two timed-out sync attempts are enough to exhaust a throttler with capacity 2.

This affects the epoch bootstrap path because syncUserAccountsState() and syncKappAccountsState() create bounded throttlers and abort bootstrap immediately if the syncer returns an error. Once enough trie-root sync attempts fail, the syncer cannot make forward progress and bootstrap fails.

## Affected Components

  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go
  • data/trie/sync.go
  • core/throttler/numGoRoutinesThrottler.go
  • core/bootstrap/process.go

## Affected Version

Verified on:

  • develop HEAD 9640d63

Please check whether the same code is present in supported 1.7.x releases.

## Suggested Severity

High

## Vulnerability Details

### Root Cause

Both account-data syncers call StartProcessing() before creating / starting the trie syncer, but they only call EndProcessing() on the success path and on the duplicate-root early return.

userAccountsSyncer.syncDataTrie():

func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
      u.throttler.StartProcessing()

u.syncerMutex.Lock() if _, ok := u.dataTries[string(rootHash)]; ok { u.syncerMutex.Unlock() u.throttler.EndProcessing() return nil }

dataTrie, err := trie.NewTrie(...) if err != nil { u.syncerMutex.Unlock() return err }

trieSyncer, err := trie.NewTrieSyncer(arg) if err != nil { u.syncerMutex.Unlock() return err }

u.syncerMutex.Unlock()

err = trieSyncer.StartSyncing(rootHash, ctx) if err != nil { return err }

u.throttler.EndProcessing() return nil }

The same bug exists in kappAccountsSyncer.syncDataTrie().

### Missing slot release paths

After StartProcessing(), the following error paths return without EndProcessing():

  • trie.NewTrie(...) returns an error
  • trie.NewTrieSyncer(...) returns an error
  • trieSyncer.StartSyncing(...) returns an error

### Why this matters

NumGoRoutinesThrottler is a strict bounded counter:

func (ngrt *NumGoRoutinesThrottler) CanProcess() bool {
      valCounter := atomic.LoadInt32(&ngrt.counter)
      return valCounter < ngrt.max
  }

func (ngrt *NumGoRoutinesThrottler) StartProcessing() { atomic.AddInt32(&ngrt.counter, 1) }

func (ngrt *NumGoRoutinesThrottler) EndProcessing() { atomic.AddInt32(&ngrt.counter, -1) }

Once leaked, a slot remains consumed for the lifetime of that throttler instance.

The parent loops in both syncers wait for capacity before starting the next account-data trie sync:

for !u.throttler.CanProcess() { select { case <-time.After(timeBetweenRetries): continue case <-ctx.Done(): return common.ErrTimeIsOut } }

So after enough failures, further roots stop progressing and the sync operation eventually returns time is out.

### Bootstrap impact

Epoch bootstrap uses these syncers directly and aborts on any error:

err = e.syncUserAccountsState(e.epochStartMeta.Header.TrieRoot)
  if err != nil {
      return nil, nil, err
  }

err = e.syncKappAccountsState(e.epochStartMeta.Header.KAppsTrieRoot) if err != nil { return nil, nil, err }

The throttlers for these paths are real bounded throttlers created from numConcurrentTrieSyncers.

## Proof of Concept

I verified the bug with the real timeout path, not only with a canceled context.

The PoC below uses:

  • a real NumGoRoutinesThrottler with capacity 2
  • a real trieSyncer.StartSyncing()
  • an empty trie-node cache and a request handler that never supplies nodes
  • a short sync timeout (1s) so StartSyncing() returns trie.ErrTimeIsOut

After the first failed sync, one slot remains leaked. After the second failed sync, the throttler is exhausted.

### PoC test

package syncer

import ( "context" "testing" "time"

commonmock "github.com/klever-io/klever-go/common/mock" corethrottler "github.com/klever-io/klever-go/core/throttler" "github.com/klever-io/klever-go/data" "github.com/klever-io/klever-go/data/trie" triestats "github.com/klever-io/klever-go/data/trie/statistics" "github.com/stretchr/testify/require" )

func newBaseSyncerForTimeoutPOC(t *testing.T) *baseAccountsSyncer { t.Helper()

storageManager, err := trie.NewTrieStorageManagerWithoutPruning(commonmock.NewMemDbMock()) require.NoError(t, err)

return &baseAccountsSyncer{ hasher: commonmock.HasherMock{}, marshalizer: &commonmock.MarshalizerMock{}, trieSyncers: make(map[string]data.TrieSyncer), dataTries: make(map[string]data.Trie), trieStorageManager: storageManager, requestHandler: &commonmock.RequestHandlerStub{}, timeout: time.Second, cacher: commonmock.NewCacherStub(), maxTrieLevelInMemory: 5, name: "timeout-poc", maxHardCapForMissingNodes: 1, } }

func TestPOC_UserAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) { thr, err := corethrottler.NewNumGoRoutinesThrottler(2) require.NoError(t, err)

s := &userAccountsSyncer{ baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t), throttler: thr, }

err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background()) require.ErrorIs(t, err, trie.ErrTimeIsOut) require.True(t, thr.CanProcess())

err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background()) require.ErrorIs(t, err, trie.ErrTimeIsOut) require.False(t, thr.CanProcess()) }

func TestPOC_KappAccountsSyncer_LeaksThrottlerSlotOnTrieTimeout(t *testing.T) { thr, err := corethrottler.NewNumGoRoutinesThrottler(2) require.NoError(t, err)

s := &kappAccountsSyncer{ baseAccountsSyncer: newBaseSyncerForTimeoutPOC(t), throttler: thr, }

err = s.syncDataTrie([]byte("missing-root-1"), triestats.NewTrieSyncStatistics(), context.Background()) require.ErrorIs(t, err, trie.ErrTimeIsOut) require.True(t, thr.CanProcess())

err = s.syncDataTrie([]byte("missing-root-2"), triestats.NewTrieSyncStatistics(), context.Background()) require.ErrorIs(t, err, trie.ErrTimeIsOut) require.False(t, thr.CanProcess()) }

### Command used
go test ./data/syncer -run 'TestPOC_(User|Kapp)AccountsSyncer_LeaksThrottlerSlotOnTrieTimeout' -count=1
### Result
ok    github.com/klever-io/klever-go/data/syncer      4.005s
This confirms the leak with the real timeout path from trieSyncer.StartSyncing().

## Impact

An attacker who can repeatedly cause trie-node sync failures or timeouts during bootstrap can consume the bounded sync throttler until no capacity remains.

Once enough slots are leaked:

  • additional account-data trie sync attempts stop making progress
  • the parent loop waits until context timeout
  • SyncAccounts() fails
  • epoch bootstrap fails

This is a core node availability issue. It affects fresh/restarting nodes and validators that need to bootstrap or resync state.

This is not a theoretical issue:

  • StartSyncing() performs network-dependent trie-node retrieval
  • it already has explicit timeout / failure paths
  • the leaked throttler slots are confirmed by runtime PoC

## Recommended Fix

Release the slot with defer immediately after StartProcessing() and cancel the defer only if ownership is intentionally transferred, which is not the case here.

Example fix pattern:

func (u *userAccountsSyncer) syncDataTrie(rootHash []byte, ssh data.SyncStatisticsHandler, ctx context.Context) error {
      u.throttler.StartProcessing()
      defer u.throttler.EndProcessing()

u.syncerMutex.Lock() defer u.syncerMutex.Unlock()

if _, ok := u.dataTries[string(rootHash)]; ok { return nil }

dataTrie, err := trie.NewTrie(...) if err != nil { return err }

trieSyncer, err := trie.NewTrieSyncer(arg) if err != nil { return err }

u.trieSyncers[string(rootHash)] = trieSyncer return trieSyncer.StartSyncing(rootHash, ctx) }

The same pattern should be applied to:
  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go

## References

  • data/syncer/userAccountsSyncer.go
  • data/syncer/kappAccountsSyncer.go
  • data/trie/sync.go
  • core/throttler/numGoRoutinesThrottler.go
  • core/bootstrap/process.go
  • SECURITY.md

CVSS v3
5.9
EG Score
5.9(low)
EPSS
16.0%
KEV
Not listed

Published

June 5, 2026

Last Modified

June 5, 2026

Vendor Advisories for CVE-2026-49343(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/klever-io/klever-go1.7.18

Data Freshness Timeline

(refreshed 5× in last 7d / 30× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-05 21:57 UTCEG score recompute
  2. 2026-07-04 20:35 UTCEG score recompute
  3. 2026-07-03 01:50 UTCEG score recompute
  4. 2026-07-02 00:54 UTCEG score recompute
  5. 2026-07-01 00:25 UTCEG score recompute
  6. 2026-06-30 00:00 UTCEG score recompute
  7. 2026-06-28 23:18 UTCEG score recompute
  8. 2026-06-27 22:53 UTCEG score recompute
  9. 2026-06-26 22:27 UTCEG score recompute
  10. 2026-06-25 21:59 UTCEG score recompute
  11. 2026-06-24 21:33 UTCEG score recompute
  12. 2026-06-23 17:31 UTCEG score recompute
  13. 2026-06-22 14:35 UTCEG score recompute
  14. 2026-06-21 03:45 UTCEG score recompute
  15. 2026-06-19 23:34 UTCEG score recompute
  16. 2026-06-18 22:44 UTCEG score recompute
  17. 2026-06-17 22:18 UTCEG score recompute
  18. 2026-06-16 21:39 UTCEG score recompute
  19. 2026-06-15 21:13 UTCEG score recompute
  20. 2026-06-14 23:18 UTCEPSS rescore
  21. 2026-06-14 20:48 UTCEG score recompute
  22. 2026-06-13 23:00 UTCEPSS rescore
  23. 2026-06-13 20:23 UTCEG score recompute
  24. 2026-06-12 23:12 UTCEPSS rescore
  25. 2026-06-12 19:56 UTCEG score recompute
Show 7 more
  1. 2026-06-11 19:30 UTCEG score recompute
  2. 2026-06-10 19:05 UTCEG score recompute
  3. 2026-06-09 18:40 UTCEG score recompute
  4. 2026-06-08 18:14 UTCEG score recompute
  5. 2026-06-07 17:49 UTCEG score recompute
  6. 2026-06-06 17:23 UTCEG score recompute
  7. 2026-06-05 16:57 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-49343?
CVE-2026-49343 is a medium vulnerability published on June 5, 2026. Klever-Go KVM: Throttler slot leak in trie account-data sync causes epoch bootstrap / state sync DoS Summary The account-data trie syncers leak bounded throttler slots on error paths in syncDataTrie(). Each failed trie sync permanently consumes one slot from the NumGoRoutinesThrottler, and the slot…
When was CVE-2026-49343 disclosed?
CVE-2026-49343 was first published in the National Vulnerability Database on June 5, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-49343 actively exploited?
CVE-2026-49343 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 16.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-49343?
CVE-2026-49343 has a CVSS v4.0 base score of 5.9 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49343?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49343, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-49343

Explore →

Is Your Infrastructure Affected by CVE-2026-49343?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.