libp2p-metrics (=0.11.0) potentially affected by CVE-2026-33040 +1 more via libp2p-gossipsub (=0.43.0)
Details
CVSS v3
8.7
CVSS v4
8.2
NVD published
2026-03-31 16:16:31
EPSS
<0.1% probability · 15.5th percentile — 2026-04-05
Affected versions
Not available in our cache.
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.