216.73.217.98

CVE-2026-34219

· Published 31/03/2026 16:16 · Modified 01/04/2026 14:24

Labels: CVE-2026-34219 2026-03-31CVE-2026-34219CWE-190[email protected]

Essential information

Published
31/03/2026 16:16
Modified
01/04/2026 14:24
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
libp2p / libp2p-rust cpe:2.3:a:libp2p:libp2p-rust:*:*:*:*:*:*:*:*
libp2p / gossipsub cpe:2.3:a:libp2p:gossipsub:*:*:*:*:*:*:*:*

References