HIGHCVE-2026-35457Published 2026-04-07Modified 2026-04-07CNA GitHub_M

CVE-2026-35457: libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

libp2p / rust-libp2p
< 0.17.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7

Metrics