Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
Published: 2026-03-31
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a remotely reachable panic in the Rust libp2p Gossipsub module caused by an overflow when adding a duration to an instant. When a peer sends a crafted PRUNE control message with a high backoff value, the value is stored near the upper bound and later adds duration during a heartbeat. This unchecked arithmetic can overflow, causing a panic that crashes the node and effectively denies service to the peer and potentially disrupts the network. The flaw is rooted in integer overflow (CWE-190) and unchecked return values (CWE-617).

Affected Systems

The bug affects the libp2p Rust implementation (rust-libp2p) of the Gossipsub protocol, specifically versions prior to 0.49.4. Any node that participates in Gossipsub over normal TCP+Noise+multiplexing (mplex or yamux) is vulnerable, as the flaw is triggered simply by becoming a protocol peer and receiving the malicious PRUNE message.

Risk and Exploitability

The CVSS score of 8.2 indicates a high impact of the crash, while the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread yet. The vulnerability is not listed in the KEV catalog. Attackers can trigger the overflow from any reachable Gossipsub peer without special authentication, making the vector broadly available. Because the effect is a crash rather than data leakage or privilege escalation, the primary risk is denial of service to the targeted node or the network it supports.

Generated by OpenCVE AI on April 6, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rust-libp2p to version 0.49.4 or later.

Generated by OpenCVE AI on April 6, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xqmp-fxgv-xvq5 libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling
History

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p libp2p-gossipsub
CPEs cpe:2.3:a:libp2p:libp2p-gossipsub:*:*:*:*:*:rust:*:*
Vendors & Products Libp2p libp2p-gossipsub
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p rust-libp2p
Vendors & Products Libp2p
Libp2p rust-libp2p

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
Title libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
Weaknesses CWE-190
CWE-617
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libp2p Libp2p-gossipsub Rust-libp2p
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:34:57.667Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34219

cve-icon Vulnrichment

Updated: 2026-03-31T17:34:53.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T16:16:31.920

Modified: 2026-04-06T15:00:33.037

Link: CVE-2026-34219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T08:07:59Z

Weaknesses