CVE-2026-33040
libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
| CWE | CWE-190 |
| Vendor | libp2p |
| Product | rust-libp2p |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Get instant alerts for libp2p rust-libp2p
Be the first to know when new unknown vulnerabilities affecting libp2p rust-libp2p are published โ delivered to Slack, Telegram or Discord.