Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
Published: 2026-03-31
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

A crafted PRUNE control message can cause a runtime panic in the Rust implementation of libp2p’s Gossipsub protocol. The bug allows an attacker to send a backoff value near the maximum representable instant, which is then stored and later combined with a duration during a heartbeat. Because the addition is unchecked, an overflow occurs and the node panics, taking the node out of service. The flaw is a classic integer overflow (CWE‑190) and improper validation of control data (CWE‑617).

Affected Systems

The vulnerability resides in the Rust libp2p library, provided under the libp2p:rust-libp2p product. All releases before version 0.49.4 are affected; the issue was fixed in 0.49.4 and later.

Risk and Exploitability

The severity score is 8.2, indicating high severity. The flaw is remotely reachable from any peer that joins the Gossipsub network over standard TCP with Noise and multiplexing using mplex or yamux. No additional authentication or privileged access is required. Exploit probability is not disclosed, and the vulnerability is not documented in major exploit databases.

Generated by OpenCVE AI on March 31, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update rust-libp2p to version 0.49.4 or later.
  • If an update is not possible, temporarily isolate the node from other Gossipsub peers until the patch is applied.
  • Block or filter PRUNE control messages with unusually large backoff values as a precautionary measure.
  • Verify that all nodes in the network run a patched version prior to allowing new peers to connect.

Generated by OpenCVE AI on March 31, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xqmp-fxgv-xvq5 libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling
History

Tue, 31 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
Title libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
Weaknesses CWE-190
CWE-617
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T17:34:57.667Z

Reserved: 2026-03-26T15:57:52.324Z

Link: CVE-2026-34219

cve-icon Vulnrichment

Updated: 2026-03-31T17:34:53.996Z

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:31.920

Modified: 2026-03-31T16:16:31.920

Link: CVE-2026-34219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T19:54:02Z

Weaknesses