Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
Published: 2026-04-07
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unbounded memory growth leading to denial of service
Action: Patch
AI Analysis

Impact

The libp2p-rust implementation fails to limit pagination cookies stored by the rendezvous server. An unauthenticated peer can repeatedly issue DISCOVER requests, causing unbounded memory allocation and eventual exhaustion of system resources. This deficiency matches CWE‑770, yielding a denial‑of‑service impact.

Affected Systems

Vulnerable versions of the Rust libp2p library—any release prior to 0.17.1—is affected. Devices or services that run a libp2p rendezvous server with these versions would be impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. While no EPSS value is available, the lack of authentication control and the ability to trigger the vulnerability remotely via network DISCOVER requests make exploitation likely. The vulnerability is not listed in the CISA KEV catalog but poses a risk of service disruption if exploited, especially in environments where the rendezvous server is publicly accessible.

Generated by OpenCVE AI on April 7, 2026 at 19:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libp2p to version 0.17.1 or newer.
  • If upgrading is not immediately possible, restrict or block incoming DISCOVER traffic using firewall rules or rate‑limit the requests to the rendezvous server.
  • Monitor system memory usage for abnormal growth patterns and consider temporarily disabling the rendezvous functionality until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 19:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5hw-cv9c-rpg7 libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
History

Fri, 24 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Protocol
Protocol libp2p
CPEs cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*
Vendors & Products Protocol
Protocol libp2p

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p rust-libp2p
Vendors & Products Libp2p
Libp2p rust-libp2p

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.
Title libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Libp2p Rust-libp2p
Protocol Libp2p
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T17:53:37.355Z

Reserved: 2026-04-02T19:25:52.193Z

Link: CVE-2026-35457

cve-icon Vulnrichment

Updated: 2026-04-07T17:53:25.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T15:17:43.587

Modified: 2026-04-24T13:32:56.967

Link: CVE-2026-35457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:24:21Z

Weaknesses