CVE-2026-34219
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Description
Summary
The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer.
Attack Scenario
An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted PRUNE control data:
- Establish a standard libp2p session (
TCP + Noise) and negotiate a stream multiplexer (mplex/yamux). - Open a Gossipsub stream and send an RPC containing
ControlPrunewith a very largebackoff(chosen near boundary conditions, e.g.~ i64::MAX - victim_uptime_seconds; example observed:9223372036854674580for ~28h uptime). - The value is parsed from protobuf and passed through
Behaviour::handle_prune()into mesh/backoff update logic. - Initial storage path uses checked addition (
Instant::now().checked_add(...)), so the malicious near-max value is retained. - On the next heartbeat (typically within ~43-74s), expiry logic computes
backoff_time + slackusing unchecked addition, which overflows and panics.
Impact
Remote unauthenticated denial of service (critical). Any application exposing an affected libp2p-gossipsub listener can be crashed by a network-reachable peer that sends crafted PRUNE backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.
Differences from CVE-2026-33040
This advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic. This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.
This vulnerability was originally reported by the Security team of the Ethereum Foundation.
AnalysisAI
Unchecked arithmetic in Rust libp2p-gossipsub heartbeat processing allows remote unauthenticated denial of service via crafted PRUNE control messages. Network-reachable Gossipsub peers can crash vulnerable nodes by sending PRUNE messages with near-maximum backoff values (~i64::MAX), triggering an instant overflow panic during subsequent heartbeat cycles (43-74 seconds later). This is a distinct vulnerability from CVE-2026-33040, affecting a different code path in expiry handling rather than initial insertion. Reported by Ethereum Foundation security team; no public exploit identified at time of analysis, but attack vector is straightforward for any peer capable of establishing libp2p sessions.
Technical ContextAI
libp2p-gossipsub is a Rust implementation of the Gossipsub pubsub protocol used extensively in decentralized networks including Ethereum, IPFS, and Filecoin. The vulnerability (CWE-190: Integer Overflow) exists in the backoff expiry mechanism that prevents rapid mesh reconnections after PRUNE operations. When a peer sends a PRUNE control message, the backoff duration is converted to an Instant timestamp for tracking. While CVE-2026-33040 added checked arithmetic to the insertion path (Instant::now().checked_add()), a secondary overflow remained in heartbeat processing. The heartbeat routine-which runs every 43-74 seconds-performs unchecked addition of a slack duration to stored backoff Instants (backoff_time + slack). An attacker-supplied backoff value near the maximum representable Instant (~292 billion years from epoch, or i64::MAX nanoseconds) will successfully pass insertion checks but overflow when slack is added during expiry evaluation, triggering a Rust panic and immediate process termination. The vulnerability requires only standard libp2p connectivity (TCP + Noise encryption + mplex/yamux multiplexing) with no additional authentication beyond peer negotiation.
RemediationAI
Upgrade to the patched version of libp2p-gossipsub specified in the GitHub security advisory (https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5). The fix implements checked arithmetic in the heartbeat expiry path, mirroring the insertion-side protections added for CVE-2026-33040. Update Cargo.toml dependencies to reference the fixed crate version and rebuild applications. For Ethereum consensus clients and other blockchain infrastructure, coordinate upgrades during maintenance windows while monitoring for anomalous peer behavior (unexpected disconnections, repeated PRUNE messages with unusual timing). As a temporary mitigation, network-layer rate limiting on new peer connections and aggressive peer reputation scoring for misbehaving PRUNE senders may reduce attack surface, though these do not eliminate the vulnerability. No effective workaround exists short of disabling Gossipsub or patching; the overflow is reachable through normal protocol operation.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-xqmp-fxgv-xvq5