GHSA-XQMP-FXGV-XVQ5
Vulnerability from github – Published: 2026-03-30 13:04 – Updated: 2026-03-31 18:54Description
Summary
The Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling.
After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with:
overflow when adding duration to instant
This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer.
Attack Scenario
An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted PRUNE control data:
1. Establish a standard libp2p session (TCP + Noise) and negotiate a stream multiplexer (mplex/yamux).
2. Open a Gossipsub stream and send an RPC containing ControlPrune with a very large backoff (chosen near boundary conditions, e.g. ~ i64::MAX - victim_uptime_seconds; example observed: 9223372036854674580 for ~28h uptime).
3. The value is parsed from protobuf and passed through Behaviour::handle_prune() into mesh/backoff update logic.
4. Initial storage path uses checked addition (Instant::now().checked_add(...)), so the malicious near-max value is retained.
5. On the next heartbeat (typically within ~43–74s), expiry logic computes backoff_time + slack using unchecked addition, which overflows and panics.
Impact
Remote unauthenticated denial of service (critical).
Any application exposing an affected libp2p-gossipsub listener can be crashed by a network-reachable peer that sends crafted PRUNE backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.
Differences from CVE-2026-33040
This advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic. This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.
This vulnerability was originally reported by the Security team of the Ethereum Foundation.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libp2p-gossipsub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.49.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34219"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T13:04:03Z",
"nvd_published_at": "2026-03-31T16:16:31Z",
"severity": "HIGH"
},
"details": "## Description\n### Summary\nThe Rust libp2p Gossipsub implementation contains a remotely reachable panic in `backoff` expiry handling. \nAfter a peer sends a crafted `PRUNE` control message with an attacker-controlled, near-maximum `backoff` value, the value is accepted and stored as an `Instant` near the representable upper bound. On a later heartbeat, the implementation performs unchecked `Instant + Duration` arithmetic (`backoff_time + slack`), which can overflow and panic with:\n`overflow when adding duration to instant`\nThis issue is reachable from any Gossipsub peer over normal `TCP + Noise + mplex/yamux` connectivity and requires no further authentication beyond becoming a protocol peer.\n### Attack Scenario\nAn attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending crafted `PRUNE` control data:\n1. Establish a standard libp2p session (`TCP + Noise`) and negotiate a stream multiplexer (`mplex`/`yamux`).\n2. Open a Gossipsub stream and send an RPC containing `ControlPrune` with a very large `backoff` (chosen near boundary conditions, e.g. `~ i64::MAX - victim_uptime_seconds`; example observed: `9223372036854674580` for ~28h uptime).\n3. The value is parsed from protobuf and passed through `Behaviour::handle_prune()` into mesh/backoff update logic.\n4. Initial storage path uses checked addition (`Instant::now().checked_add(...)`), so the malicious near-max value is retained.\n5. On the next heartbeat (typically within ~43\u201374s), expiry logic computes `backoff_time + slack` using unchecked addition, which overflows and panics.\n### Impact\nRemote unauthenticated denial of service (critical). \nAny application exposing an affected `libp2p-gossipsub` listener can be crashed by a network-reachable peer that sends crafted `PRUNE` backoff values. The crash is triggered during heartbeat processing (not immediately at PRUNE parse time), and can be repeated by reconnecting and replaying the message.\n\n### Differences from CVE-2026-33040\nThis advisory is related to CVE-2026-33040 but it is not the same defect. CVE-2026-33040 addressed overflow during backoff insertion by adding checked arithmetic when converting PRUNE backoff into an Instant. The issue in this advisory occurs at a different location and at a different time: a near-maximum backoff can still be stored successfully, and the crash happens later in the heartbeat path when slack is added to that stored Instant using unchecked arithmetic. This report covers a distinct secondary overflow path in heartbeat expiry handling that remained reachable after the original insertion-side hardening.\n\nThis vulnerability was originally reported by the Security team of the Ethereum Foundation.",
"id": "GHSA-xqmp-fxgv-xvq5",
"modified": "2026-03-31T18:54:53Z",
"published": "2026-03-30T13:04:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34219"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-gc42-3jg7-rxr2"
},
{
"type": "PACKAGE",
"url": "https://github.com/libp2p/rust-libp2p"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "libp2p-gossipsub: Remote crash via unchecked Instant overflow in heartbeat backoff expiry handling"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.