libp2p-metrics (=0.11.0) potentially affected by CVE-2026-33040 +1 more via libp2p-gossipsub (=0.43.0)
Details
CVSS v3
7.5
CVSS v4
8.7
NVD published
2026-03-20 06:16:12
EPSS
<0.1% probability · 18.8th percentile — 2026-04-05
Affected versions
cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.