CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49866

highCVSS 7.5covered by 2 sourcesfirst seen 2026-07-08
Summary gossipsub processes IHAVE and IWANT control messages by iterating every received message ID synchronously before doing anything with the results. There is no cap on how many IDs a single frame may contain. The default LP frame limit is 4MB, which fits roughly 180,000 message IDs. Iterating that many IDs blocks the Node.js event loop for around 200ms per call. The two variants have different severity. For IHAVE there is a per-peer per-heartbeat counter that limits each peer to one full iteration per heartbeat, so causing a total stall requires around 10 Sybil peers. For IWANT there is no equivalent counter at all, so a single peer continuously streaming 4MB frames can hold the event loop above 80% utilisation indefinitely. Details No decode-time cap on message ID count (message/decodeRpc.ts:11-19) export const defaultDecodeRpcLimits: DecodeRPCLimits = { maxSubscriptions: Infinity, maxMessages: Infinity, maxIhaveMessageIDs: Infinity, maxIwantMessageIDs: Infinity, maxIdontwantMessageIDs: Infinity, maxControlMessages: Infinity, maxPeerInfos: Infinity } These are the defaults unless the operator explicitly overrides opts.decodeRpcLimits. A TODO at gossipsub.ts:857 already notes the gap: // TODO: Check max gossip message size, before decodeRpc(). IHAVE iterates all IDs before truncating (gossipsub.ts:1311-1327) messageIDs.forEach((msgId) => { const msgIdStr = this.msgIdToStrFn(msgId) if (!this.seenCache.has(msgIdStr)) { iwant.set(msgIdStr, msgId) } }) // truncation to GossipsubMaxIHaveLength (5000) only happens after the loop finishes The per-peer flood counters (iasked, peerhave) do cap things eventually: each peer is limited to 10 IHAVE RPCs and 5000 IDs counted per heartbeat. After the first oversized IHAVE from a peer, subsequent ones are rejected cheaply. The problem is that the cap is per peer, so 10 Sybil peers each sending one 180K-ID IHAVE per heartbeat gives 10 x 150ms = 1500ms of synchronous work against a 1000ms heartbeat interval. IWANT has no

⚡ Watch CVE-2026-49866

Get an email if CVE-2026-49866 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-49866

CVE.org record

Embed the live status

CVE-2026-49866 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49866 status](https://www.csirts.com/badge/CVE-2026-49866)](https://www.csirts.com/cve/CVE-2026-49866)