Rust libp2p Gossipsub, Remote Panic/DoS, CVE-2026-XXXX (Pending) – Critical

By /

Listen to this Post

How the CVE Works

The vulnerability resides in the heartbeat expiry handling of the Rust libp2p Gossipsub protocol. An attacker establishes a standard libp2p session (TCP + Noise + mplex/yamux) and sends a crafted `PRUNE` control message containing a backoff value near the maximum representable duration (e.g., i64::MAX - victim_uptime_seconds). The implementation accepts this value using checked addition (Instant::now().checked_add(...)) during insertion, storing it as an `Instant` near the upper bound. Later, during the periodic heartbeat (every 43–74 seconds), the expiry logic performs unchecked arithmetic: backoff_time + slack. Because the stored `Instant` is already near the maximum, adding any positive `Duration` (the slack) causes an overflow, triggering a panic with overflow when adding duration to instant. This crash is remotely reachable from any Gossipsub peer without authentication, causing a denial of service. The overflow occurs in the heartbeat path, distinct from the insertion-side overflow fixed in CVE-2026-33040, leaving this secondary path exploitable.

DailyCVE Form

Platform: Rust libp2p
Version: < patched release
Vulnerability: Remote panic/DoS
Severity: Critical
date: 2026-03-30

Prediction: Patch released 2026-04-15

What Undercode Say:

Check libp2p-gossipsub version in Cargo.toml
grep "libp2p-gossipsub" Cargo.toml
Simulate malicious PRUNE with near-max backoff using Rust
(Conceptual code, not a full exploit)
let malicious_backoff = i64::MAX - victim_uptime_secs;
let prune = gossipsub::rpc::ControlPrune {
peer_id: target_peer,
backoff: Some(Duration::from_secs(malicious_backoff as u64)),
..Default::default()
};

Exploit

1. Connect to target via TCP+Noise, negotiate mplex/yamux.

  1. Open Gossipsub stream, send RPC containing `ControlPrune` with backoff = `9223372036854674580` (for ~28h uptime).
  2. Wait for next heartbeat (max ~74s) – target panics in `backoff_time + slack` overflow.

4. Reconnect and replay to repeatedly crash node.

Protection from this CVE

  • Upgrade libp2p-gossipsub to version containing the fix (post-0.46.1 or backported patch).
  • Apply workaround: disable Gossipsub PRUNE handling if impossible to upgrade (not recommended).
  • Implement network-level filtering to block peers sending abnormally large backoff values.

Impact

  • Confidentiality: None
  • Integrity: None
  • Availability: Complete loss of service for affected node; remote unauthenticated attacker can crash any reachable Gossipsub listener.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top