Skip to main content

CVE-2026-35457

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-04 https://github.com/libp2p/rust-libp2p GHSA-v5hw-cv9c-rpg7
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 13:37 vuln.today
cvss_changed
Patch released
Apr 04, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 04, 2026 - 06:45 vuln.today
CVE Published
Apr 04, 2026 - 06:34 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

Details

Pagination state is stored in:

rs
HashMap<Cookie, HashSet<RegistrationId>>

On Message::Discover:

remote peer
→ DISCOVER
→ handle_request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies

There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.

PoC

A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.

Impact

Remote state amplification leading to memory exhaustion.

Properties:

  • etwork reachable
  • no authentication required
  • low attack complexity
  • protocol-compliant traffic

Impacts rendezvous nodes exposed to untrusted peers. ---

Possible Fixes

  1. Global cap + eviction

Bound cookie storage (MAX_COOKIES_TRACKED) with FIFO/expiry aware eviction. Tradeoff: attacker can churn cookies and evict legitimate pagination state.

  1. Stateless cookies

Encode pagination state in authenticated cookies instead of storing server-side state. Tradeoff: more complex implementation.

  1. Rate limiting / per-peer quotas

Limit cookie creation per peer. Tradeoff: requires peer tracking.

AnalysisAI

Memory exhaustion in libp2p-rendezvous allows unauthenticated attackers to cause denial-of-service via unbounded pagination cookie storage. Remote attackers can repeatedly send protocol-compliant DISCOVER requests to force unlimited HashMap growth without authentication or rate limiting. No public exploit identified at time of analysis, though proof-of-concept exists in maintainer-controlled fork. EPSS data not available for this newly-assigned CVE; CVSS 8.2 reflects high availability impact with low attack complexity.

Technical ContextAI

The vulnerability exists in the libp2p-rendezvous Rust implementation, specifically in the rendezvous server's pagination mechanism. When processing DISCOVER messages from peers, the server generates pagination cookies and stores them in an unbounded HashMap mapping Cookie to HashSet<RegistrationId>. Each DISCOVER request triggers cookie generation and insertion into Registrations::cookies without any eviction policy, maximum size limit, or expiration mechanism. This is a classic CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerability in a peer-to-peer networking protocol. The rendezvous protocol in libp2p allows peers to discover other peers; the pagination feature was designed to handle large result sets but lacks resource consumption controls. The affected package is pkg:rust/libp2p-rendezvous, part of the broader libp2p networking stack used in decentralized applications and blockchain infrastructure.

RemediationAI

Upgrade libp2p-rendezvous to the patched version specified in the GitHub Security Advisory at github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7 and github.com/advisories/GHSA-v5hw-cv9c-rpg7. Exact fixed version numbers are not provided in the available data; consult the advisory for specific version requirements. As interim mitigations if immediate patching is not feasible, implement network-layer rate limiting on connections to rendezvous servers, restrict rendezvous server exposure to trusted networks only, or deploy resource monitoring with automatic service restart on memory threshold violations. The maintainers proposed three potential fix approaches: global cap with FIFO eviction, stateless authenticated cookies, or per-peer rate limiting. Production deployments should verify which approach was implemented in the released patch and confirm memory consumption patterns return to bounded behavior under load testing with repeated DISCOVER requests.

Share

CVE-2026-35457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy