CVE-2026-34219Integer Overflow or Wraparound in Rust-libp2p

CWE-190Integer Overflow or WraparoundCWE-617Reachable Assertion4 documents4 sources
Severity
8.2HIGHNVD
EPSS
0.1%
top 83.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Libp2p Rust-libp2pLibp2p Libp2p-gossipsub
Timeline
Latest updateMar 30
PublishedMar 31

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5libp2p/rust-libp2p< 0.49.4
crates.iolibp2p/libp2p-gossipsub< 0.49.4

🔴Vulnerability Details

2
GHSA
libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling2026-03-30
OSV
libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling2026-03-30

🕵️Threat Intelligence

1
Wiz
CVE-2026-34219 Impact, Exploitability, and Mitigation Steps | Wiz