CVE-2026-33040 in rust-libp2p
Summary
by MITRE • 03/20/2026
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability described in CVE-2026-33040 affects the libp2p-rust implementation, specifically its Gossipsub protocol implementation which is a core component of the libp2p networking stack. This issue represents a critical denial-of-service vulnerability that allows remote attackers to crash network services without requiring authentication or any privileged access. The flaw exists in versions prior to 0.49.3 and demonstrates a fundamental weakness in how the system handles time-based backoff mechanisms within the gossipsub protocol. The vulnerability specifically targets the backoff state management logic where attacker-controlled values are processed without proper validation or bounds checking.
The technical exploitation of this vulnerability occurs through manipulation of PRUNE control messages within the Gossipsub protocol. When a malicious actor sends a specially crafted PRUNE message containing an extremely large backoff value, specifically u64::MAX, the system's time arithmetic operations become invalid. This leads to Duration/Instant overflow conditions during backoff update logic, causing the networking state machine to panic and crash. The flaw stems from unchecked time arithmetic operations that do not properly validate or sanitize attacker-controlled input values before processing them as time-based backoff parameters. This type of vulnerability falls under CWE-191 Integer Underflow/Overflow, as the system fails to handle extreme values in time arithmetic operations that should be bounded.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise network reliability and availability in distributed systems that rely on libp2p for communication. Any application exposing a libp2p Gossipsub listener becomes vulnerable to this attack, making it particularly dangerous in peer-to-peer networks, blockchain systems, or any distributed application where libp2p is used for peer discovery and message propagation. The attack vector is particularly concerning because it requires only network connectivity to the target service port and does not need authentication, making it easily exploitable in environments where network exposure is unavoidable. The vulnerability can be repeatedly executed by reconnecting and replaying the crafted control message, allowing attackers to maintain persistent disruption.
From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1499.004 for network denial of service and demonstrates how protocol-level flaws can be exploited to cause system instability. The issue represents a classic case of insufficient input validation where the system fails to properly validate attacker-controlled time values before using them in critical arithmetic operations. The fix implemented in version 0.49.3 addresses this by adding proper bounds checking and validation of backoff values, ensuring that time arithmetic operations cannot overflow or cause panic conditions. Organizations using libp2p-rust implementations should immediately upgrade to version 0.49.3 or later to mitigate this vulnerability, as the attack can be executed remotely and repeatedly, making it a significant risk to network availability and service continuity in distributed applications.