cvedb.io
CVE-2023-34451
HIGH · CVSS 8.2
EPSS exploitation probability: 0%
Published 2023-07-03T17:15:09.240 · Last modified 2026-06-17T06:03:40.767

Summary

CometBFT is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine and replicates it on many machines. The mempool maintains two data structures to keep track of outstanding transactions: a list and a map. These two data structures are supposed to be in sync all the time in the sense that the map tracks the index (if any) of the transaction in the list. In `v0.37.0`, and `v0.37.1`, as well as in `v0.34.28`, and all previous releases of the CometBFT repo2, it is possible to have them out of sync. When this happens, the list may contain several copies of the same transaction. Because the map tracks a single index, it is then no longer possible to remove all the copies of the transaction from the list. This happens even if the duplicated transaction is later committ

Affected products

cometbft — cometbft

Does this affect you?

Add your gear to cvedb and we'll alert you only when cometbft ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.