cvedb.io
CVE-2026-33040
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-20T06:16:12.330 · Last modified 2026-06-17T10:36:51.167

Summary

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the

Affected products

protocol — libp2p-gossipsub

Does this affect you?

Add your gear to cvedb and we'll alert you only when protocol ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.