Skip to main content

CVE-2026-34219

HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-30 https://github.com/libp2p/rust-libp2p GHSA-xqmp-fxgv-xvq5
8.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 13:15 vuln.today
CVE Published
Mar 30, 2026 - 13:04 nvd
HIGH 8.2

DescriptionGitHub Advisory

Description

Summary

The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer.

Attack Scenario

An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted PRUNE control data:

  1. Establish a standard libp2p session (TCP + Noise) and negotiate a stream multiplexer (mplex/yamux).
  2. Open a Gossipsub stream and send an RPC containing ControlPrune with a very large backoff (chosen near boundary conditions, e.g. ~ i64::MAX - victim_uptime_seconds; example observed: 9223372036854674580 for ~28h uptime).
  3. The value is parsed from protobuf and passed through Behaviour::handle_prune() into mesh/backoff update logic.
  4. Initial storage path uses checked addition (Instant::now().checked_add(...)), so the malicious near-max value is retained.
  5. On the next heartbeat (typically within ~43-74s), expiry logic computes backoff_time + slack using unchecked addition, which overflows and panics.

Impact

Remote unauthenticated denial of service (critical). Any application exposing an affected libp2p-gossipsub listener can be crashed by a network-reachable peer that sends crafted PRUNE backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.

Differences from CVE-2026-33040

This advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic. This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.

This vulnerability was originally reported by the Security team of the Ethereum Foundation.

AnalysisAI

Unchecked arithmetic in Rust libp2p-gossipsub heartbeat processing allows remote unauthenticated denial of service via crafted PRUNE control messages. Network-reachable Gossipsub peers can crash vulnerable nodes by sending PRUNE messages with near-maximum backoff values (~i64::MAX), triggering an instant overflow panic during subsequent heartbeat cycles (43-74 seconds later). This is a distinct vulnerability from CVE-2026-33040, affecting a different code path in expiry handling rather than initial insertion. Reported by Ethereum Foundation security team; no public exploit identified at time of analysis, but attack vector is straightforward for any peer capable of establishing libp2p sessions.

Technical ContextAI

libp2p-gossipsub is a Rust implementation of the Gossipsub pubsub protocol used extensively in decentralized networks including Ethereum, IPFS, and Filecoin. The vulnerability (CWE-190: Integer Overflow) exists in the backoff expiry mechanism that prevents rapid mesh reconnections after PRUNE operations. When a peer sends a PRUNE control message, the backoff duration is converted to an Instant timestamp for tracking. While CVE-2026-33040 added checked arithmetic to the insertion path (Instant::now().checked_add()), a secondary overflow remained in heartbeat processing. The heartbeat routine-which runs every 43-74 seconds-performs unchecked addition of a slack duration to stored backoff Instants (backoff_time + slack). An attacker-supplied backoff value near the maximum representable Instant (~292 billion years from epoch, or i64::MAX nanoseconds) will successfully pass insertion checks but overflow when slack is added during expiry evaluation, triggering a Rust panic and immediate process termination. The vulnerability requires only standard libp2p connectivity (TCP + Noise encryption + mplex/yamux multiplexing) with no additional authentication beyond peer negotiation.

RemediationAI

Upgrade to the patched version of libp2p-gossipsub specified in the GitHub security advisory (https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5). The fix implements checked arithmetic in the heartbeat expiry path, mirroring the insertion-side protections added for CVE-2026-33040. Update Cargo.toml dependencies to reference the fixed crate version and rebuild applications. For Ethereum consensus clients and other blockchain infrastructure, coordinate upgrades during maintenance windows while monitoring for anomalous peer behavior (unexpected disconnections, repeated PRUNE messages with unusual timing). As a temporary mitigation, network-layer rate limiting on new peer connections and aggressive peer reputation scoring for misbehaving PRUNE senders may reduce attack surface, though these do not eliminate the vulnerability. No effective workaround exists short of disabling Gossipsub or patching; the overflow is reachable through normal protocol operation.

Share

CVE-2026-34219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy