cvedb.io
CVE-2026-34219
MEDIUM · CVSS 5.9
EPSS exploitation probability: 0%
Published 2026-03-31T16:16:31.920 · Last modified 2026-06-17T10:38:40.577

Summary

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched

Affected products

protocol — libp2p-gossipsub

Does this affect you?

Add your gear to cvedb and we'll alert you only when protocol ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.