CVE-2026-33040 — Integer Overflow or Wraparound in Rust-libp2p

CWE-190 — Integer Overflow or Wraparound CWE-617 — Reachable Assertion7 documents4 sources

Severity

8.7HIGHNVD

EPSS

0.1%

top 80.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libp2p Rust-libp2p Protocol Libp2p Libp2p Libp2p-gossipsub

Timeline

PublishedMar 20

Latest updateMar 30

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachabl…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5libp2p/rust-libp2p< 0.49.3

▶crates.iolibp2p/libp2p-gossipsub< 0.49.4

▶NVDprotocol/libp2p< 0.49.3

🔴Vulnerability Details

GHSA

libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling↗2026-03-30

▶

OSV

libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling↗2026-03-30

▶

OSV

CVE-2026-33040: libp2p-rust is the official rust language Implementation of the libp2p networking stack↗2026-03-20

▶

OSV

Gossipsub PRUNE.backoff Duration Overflow↗2026-03-18

▶

GHSA

Gossipsub PRUNE.backoff Duration Overflow↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33040 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶