CVE-2026-35457

HIGH

libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

Title source: cna

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.

References (1)

[X_Refsource_Confirm] https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7

Scores

CVSS v3 8.2

EPSS 0.0005

EPSS Percentile 16.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

crates.io/libp2p-rendezvous 0 - 0.17.1crates.io

libp2p/rust-libp2p < 0.17.1

protocol/libp2p < 0.17.1

Published Apr 07, 2026

Tracked Since Apr 07, 2026