CVE-2026-35457
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.
Details
Pagination state is stored in:
HashMap<Cookie, HashSet<RegistrationId>>On Message::Discover:
remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookiesThere is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.
PoC
A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.
Impact
Remote state amplification leading to memory exhaustion.
Properties:
- etwork reachable
- no authentication required
- low attack complexity
- protocol-compliant traffic
Impacts rendezvous nodes exposed to untrusted peers. ---
Possible Fixes
- Global cap + eviction
Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction. Tradeoff: attacker can churn cookies and evict legitimate pagination state.
- Stateless cookies
Encode pagination state in authenticated cookies instead of storing server-side state. Tradeoff: more complex implementation.
- Rate limiting / per-peer quotas
Limit cookie creation per peer. Tradeoff: requires peer tracking.
AnalysisAI
Memory exhaustion in libp2p-rendezvous allows unauthenticated attackers to cause denial-of-service via unbounded pagination cookie storage. Remote attackers can repeatedly send protocol-compliant DISCOVER requests to force unlimited HashMap growth without authentication or rate limiting. No public exploit identified at time of analysis, though proof-of-concept exists in maintainer-controlled fork. EPSS data not available for this newly-assigned CVE; CVSS 8.2 reflects high availability impact with low attack complexity.
Technical ContextAI
The vulnerability exists in the libp2p-rendezvous Rust implementation, specifically in the rendezvous server's pagination mechanism. When processing DISCOVER messages from peers, the server generates pagination cookies and stores them in an unbounded HashMap mapping Cookie to HashSet<RegistrationId>. Each DISCOVER request triggers cookie generation and insertion into Registrations::cookies without any eviction policy, maximum size limit, or expiration mechanism. This is a classic CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerability in a peer-to-peer networking protocol. The rendezvous protocol in libp2p allows peers to discover other peers; the pagination feature was designed to handle large result sets but lacks resource consumption controls. The affected package is pkg:rust/libp2p-rendezvous, part of the broader libp2p networking stack used in decentralized applications and blockchain infrastructure.
RemediationAI
Upgrade libp2p-rendezvous to the patched version specified in the GitHub Security Advisory at github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7 and github.com/advisories/GHSA-v5hw-cv9c-rpg7. Exact fixed version numbers are not provided in the available data; consult the advisory for specific version requirements. As interim mitigations if immediate patching is not feasible, implement network-layer rate limiting on connections to rendezvous servers, restrict rendezvous server exposure to trusted networks only, or deploy resource monitoring with automatic service restart on memory threshold violations. The maintainers proposed three potential fix approaches: global cap with FIFO eviction, stateless authenticated cookies, or per-peer rate limiting. Production deployments should verify which approach was implemented in the released patch and confirm memory consumption patterns return to bounded behavior under load testing with repeated DISCOVER requests.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v5hw-cv9c-rpg7