CVE-2026-34219

MEDIUM

libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow

Title source: cna

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.

References (1)

[X_Refsource_Confirm] https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5

Scores

CVSS v3 5.9

EPSS 0.0006

EPSS Percentile 17.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-190 CWE-617

Status published

Products (3)

crates.io/libp2p-gossipsub 0 - 0.49.4crates.io

libp2p/libp2p-gossipsub < 0.49.4

libp2p/rust-libp2p < 0.49.4

Published Mar 31, 2026

Tracked Since Mar 31, 2026