Skip to main content

CVE-2026-33040

HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-18 https://github.com/libp2p/rust-libp2p GHSA-gc42-3jg7-rxr2
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 30, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 19:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 18, 2026 - 20:00 vuln.today
CVE Published
Mar 18, 2026 - 19:54 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

The Rust libp2p Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication.

Attack Scenario

An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending a single crafted PRUNE control message:

  1. Establish a standard libp2p transport session and negotiate a stream multiplexer.
  2. Open a Gossipsub stream and negotiate the meshsub protocol.
  3. Send one protobuf RPC containing ControlPrune with a very large backoff value (e.g. 18446744073709551615 / u64::MAX).

When processed, the oversized backoff can reach time-update logic that adds Duration::from_secs(backoff) to Instant::now(), causing overflow and panic.

Impact

Remote unauthenticated denial of service. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message.

Patches

Users should upgrade to a release that hardens Gossipsub backoff handling.

This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program

AnalysisAI

The Rust libp2p Gossipsub implementation contains an integer overflow vulnerability that allows remote unauthenticated attackers to crash affected nodes by sending a single crafted PRUNE control message with an extremely large backoff value (e.g., u64::MAX). The vulnerability affects the libp2p-gossipsub Rust crate and enables trivial denial of service against any application exposing a Gossipsub listener. This vulnerability was discovered through responsible disclosure to the Ethereum Foundation bug bounty program by @revofusion, and while no active exploitation (KEV) status is indicated, the attack complexity is extremely low and a detailed proof-of-concept attack scenario has been publicly disclosed in the advisory.

Technical ContextAI

The affected component is the Rust implementation of libp2p Gossipsub (pkg:rust/libp2p-gossipsub), a pub-sub messaging protocol commonly used in peer-to-peer networks including Ethereum and IPFS infrastructure. The root cause is classified as CWE-190 (Integer Overflow or Wraparound). The vulnerability exists in the backoff handling logic where the implementation accepts attacker-controlled backoff values from PRUNE control messages without proper validation. When an extremely large backoff value is processed, the code performs unchecked arithmetic by adding Duration::from_secs(backoff) to Instant::now(), causing a panic due to Duration or Instant overflow in Rust's time handling primitives. The libp2p protocol stack uses a stream multiplexer over standard transports, and Gossipsub operates as a protocol-negotiated stream within that framework, making this reachable through normal network connections without authentication requirements.

RemediationAI

Users of libp2p-gossipsub should immediately upgrade to a patched release that includes hardened Gossipsub backoff handling, as recommended in the GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2. Consult the libp2p Rust project release notes and the advisory for specific version numbers containing the fix. Until patching is possible, organizations can temporarily mitigate risk by implementing network-level controls such as restricting Gossipsub listener access to trusted peer networks only, deploying connection rate limiting to slow repeated attack attempts, or running affected services behind firewalls that filter connections to known-good peers. Given the low attack complexity and availability of a detailed exploit scenario, patching should be prioritized over workarounds for production systems.

Share

CVE-2026-33040 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy