CVE-2026-34219

MEDIUM

5.9

Descripcion

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.

Detalles CVE

Puntuacion CVSS v3.15.9

SeveridadMEDIUM

Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Vector de ataqueNETWORK

ComplejidadHIGH

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado3/31/2026

Ultima modificacion4/6/2026

Fuentenvd

Avistamientos honeypot0

Productos afectados

libp2p:libp2p-gossipsub

Debilidades (CWE)

CWE-190CWE-617

Referencias

https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.