CVE-2026-33040
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Summary
The Rust libp2p Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication.
Attack Scenario
An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending a single crafted PRUNE control message:
- Establish a standard libp2p transport session and negotiate a stream multiplexer.
- Open a Gossipsub stream and negotiate the meshsub protocol.
- Send one protobuf RPC containing ControlPrune with a very large backoff value (e.g. 18446744073709551615 / u64::MAX).
When processed, the oversized backoff can reach time-update logic that adds Duration::from_secs(backoff) to Instant::now(), causing overflow and panic.
Impact
Remote unauthenticated denial of service. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message.
Patches
Users should upgrade to a release that hardens Gossipsub backoff handling.
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
AnalysisAI
The Rust libp2p Gossipsub implementation contains an integer overflow vulnerability that allows remote unauthenticated attackers to crash affected nodes by sending a single crafted PRUNE control message with an extremely large backoff value (e.g., u64::MAX). The vulnerability affects the libp2p-gossipsub Rust crate and enables trivial denial of service against any application exposing a Gossipsub listener. This vulnerability was discovered through responsible disclosure to the Ethereum Foundation bug bounty program by @revofusion, and while no active exploitation (KEV) status is indicated, the attack complexity is extremely low and a detailed proof-of-concept attack scenario has been publicly disclosed in the advisory.
Technical ContextAI
The affected component is the Rust implementation of libp2p Gossipsub (pkg:rust/libp2p-gossipsub), a pub-sub messaging protocol commonly used in peer-to-peer networks including Ethereum and IPFS infrastructure. The root cause is classified as CWE-190 (Integer Overflow or Wraparound). The vulnerability exists in the backoff handling logic where the implementation accepts attacker-controlled backoff values from PRUNE control messages without proper validation. When an extremely large backoff value is processed, the code performs unchecked arithmetic by adding Duration::from_secs(backoff) to Instant::now(), causing a panic due to Duration or Instant overflow in Rust's time handling primitives. The libp2p protocol stack uses a stream multiplexer over standard transports, and Gossipsub operates as a protocol-negotiated stream within that framework, making this reachable through normal network connections without authentication requirements.
RemediationAI
Users of libp2p-gossipsub should immediately upgrade to a patched release that includes hardened Gossipsub backoff handling, as recommended in the GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2. Consult the libp2p Rust project release notes and the advisory for specific version numbers containing the fix. Until patching is possible, organizations can temporarily mitigate risk by implementing network-level controls such as restricting Gossipsub listener access to trusted peer networks only, deploying connection rate limiting to slow repeated attack attempts, or running affected services behind firewalls that filter connections to known-good peers. Given the low attack complexity and availability of a detailed exploit scenario, patching should be prioritized over workarounds for production systems.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-gc42-3jg7-rxr2