nimiq-libp2p CVE-2026-34062

| EUVD-2026-25056 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 GitHub_M
Denial Of Service Network Libp2P
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today
Patch available
Apr 22, 2026 - 20:32 EUVD

DescriptionNVD

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, MessageCodec::read_request and read_response call read_to_end() on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because Behaviour::new also sets with_max_concurrent_streams(1000), the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

AnalysisAI

Denial of service in nimiq-libp2p prior to version 1.3.0 allows remote peers to exhaust node resources by sending partial frames on inbound substreams and keeping them open. The vulnerability combines unbounded stream reading via read_to_end() with a high concurrent stream limit of 1000, enabling attackers to accumulate stalled slots and degrade network availability without authentication or user interaction.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-34062 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy