Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.

INFO

Published Date :

2026-03-31T15:47:31.785Z

Last Modified :

2026-03-31T17:34:57.667Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34219 vulnerability.

Vendors Products
Libp2p
  • Rust-libp2p
Protocol
  • Libp2p-gossipsub
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34219.

URL Resource
https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact