Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Published: 2026-03-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The Gossipsub PRUNE backoff logic in the Rust libp2p implementation accepts attacker‑controlled values and performs unchecked time arithmetic. An attacker can send a PRUNE message with an extraordinarily large backoff, such as u64::MAX, causing a duration/instant overflow that triggers a panic in the networking state machine. The result is an application crash, leading to a denial of service.

Affected Systems

Any application that bundles the Rust libp2p library and exposes a Gossipsub listener is affected. The flaw exists in all libp2p‑rust releases prior to version 0.49.3. The issue is specific to the backoff handling path of the Gossipsub protocol stack and can be triggered by any external node communicating over a libp2p connection.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.7, indicating high severity, but the EPSS score is below 1 %, suggesting low current exploitation likelihood. It is not listed in the CISA KEV catalog. An attacker only needs to reach the service port; no authentication is required. By sending a crafted PRUNE message, the attacker can repeat the crash by reconnecting and replaying the control message, making the attack repeatable and straightforward once the endpoint is reachable.

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rust‑libp2p to version 0.49.3 or later
  • Verify that no older versions of rust‑libp2p remain in use
  • Monitor application logs for panic or crash events related to Gossipsub

Generated by OpenCVE AI on March 23, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gc42-3jg7-rxr2 Gossipsub PRUNE.backoff Duration Overflow
History

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Protocol
Protocol libp2p
CPEs cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*
Vendors & Products Protocol
Protocol libp2p
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p libp2p
Vendors & Products Libp2p
Libp2p libp2p

Fri, 20 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Title libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libp2p Libp2p
Protocol Libp2p
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T15:41:03.864Z

Reserved: 2026-03-17T18:10:50.210Z

Link: CVE-2026-33040

cve-icon Vulnrichment

Updated: 2026-03-20T15:40:57.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T06:16:12.330

Modified: 2026-03-23T16:17:17.450

Link: CVE-2026-33040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:30:20Z

Weaknesses