CVE-2026-35457

HIGH 8.2

libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

0th

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.

CWE	CWE-770
Vendor	libp2p
Product	rust-libp2p
Published	Apr 7, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for libp2p rust-libp2p

Be the first to know when new high vulnerabilities affecting libp2p rust-libp2p are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

High

Affected Versions

libp2p / rust-libp2p

< 0.17.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7