CVE-2026-34219
Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
libp2p-gossipsubcrates.io | < 0.49.4 | 0.49.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-gc42-3jg7-rxr2ghsaADVISORY
- github.com/advisories/GHSA-xqmp-fxgv-xvq5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34219ghsaADVISORY
News mentions
0No linked articles in our index yet.