Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.

INFO

Published Date :

2026-03-20T05:46:42.276Z

Last Modified :

2026-03-20T15:41:03.864Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33040 vulnerability.

Vendors Products
Libp2p
  • Libp2p
Protocol
  • Libp2p-gossipsub
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33040.

URL Resource
https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact