Libp2P Rust-Libp2P vulnerabilities

CVE-2026-35457 [HIGH] CWE-770 CVE-2026-35457: libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0. libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.

CVE-2026-35405 [HIGH] CWE-770 CVE-2026-35405: libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0. libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration

CVE-2026-34219 [HIGH] CWE-190 CVE-2026-34219: libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to ve libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and

CVE-2026-33040 [HIGH] CWE-190 CVE-2026-33040: libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MA

CVE-2022-23486 [HIGH] CWE-400 CVE-2022-23486: libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.45.1 an attacker node can cause a victim node to allocate a large number of small memory chunks, which can ultimately lead to the victim’s process running out of memory and thus getting killed by its operating system. When executed continuou