CVE-2026-33040
Przepełnienie bufora w libp2p-rust umożliwia zdalne zablokowanie aplikacji przez atakującego, który wysyła spreparowane wiadomości PRUNE.
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.5 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-03-20 06:16:12 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-01 18:37:29 UTC |
- https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2 (security-advisories@github.com) [Vendor Advisory]