High severity7.5NVD Advisory· Published Apr 7, 2026· Updated Apr 24, 2026
CVE-2026-35405
CVE-2026-35405
Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
libp2p-rendezvouscrates.io | < 0.17.1 | 0.17.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-cqfx-gf56-8x59ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35405ghsaADVISORY
News mentions
0No linked articles in our index yet.