CVE-2026-34219
libp2p-gossipsub: Gossipsub PRUNE Backoff Heartbeat Instant Overflow
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
| CWE | CWE-190 CWE-617 |
| Vendor | libp2p |
| Product | rust-libp2p |
| Published | Mar 31, 2026 |
| Last Updated | Mar 31, 2026 |
Get instant alerts for libp2p rust-libp2p
Be the first to know when new unknown vulnerabilities affecting libp2p rust-libp2p are published โ delivered to Slack, Telegram or Discord.