CVE-2026-34219
Received Received - Intake
Unchecked Arithmetic Overflow in libp2p-rust Gossipsub Causes Remote Panic

Publication date: 2026-03-31

Last updated on: 2026-05-01

Assigner: GitHub, Inc.

Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34219
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
protocol libp2p-gossipsub to 0.49.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can be exploited remotely by an attacker to cause a denial-of-service (DoS) condition on the affected node.

Specifically, by sending crafted PRUNE messages with near-maximum backoff values, an attacker can repeatedly crash the target node due to an integer overflow panic during heartbeat processing.

The impact is a high availability impact, meaning the affected system or service can become unavailable or unstable, disrupting normal operations.

No authentication or special privileges are required to exploit this vulnerability, making it easier for attackers to cause disruption.

There is no impact on confidentiality or integrity of data.

Executive Summary

This vulnerability exists in the Rust libp2p Gossipsub implementation prior to version 0.49.4. It is caused by an integer overflow during the handling of backoff expiry in PRUNE control messages. When a malicious peer sends a specially crafted PRUNE message with a backoff value near the maximum representable time, this value is accepted and stored without immediate error.

Later, during a heartbeat event, the implementation performs unchecked addition of this stored backoff time and a slack duration, which can overflow and cause the program to panic with an overflow error. This panic crashes the target node.

The vulnerability is remotely exploitable over normal libp2p network connections (TCP, Noise encryption, mplex/yamux multiplexers) without requiring any authentication beyond becoming a protocol peer.

This issue was fixed in version 0.49.4 of the Rust libp2p Gossipsub implementation.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the libp2p-rust Gossipsub implementation, specifically looking for the panic message: "overflow when adding duration to instant."

Since the issue is triggered by receiving a crafted PRUNE control message with a near-maximum backoff value, network traffic inspection tools could be used to detect unusual or suspicious PRUNE messages with abnormally large backoff values.

Commands to help detect this might include checking logs for the panic message, for example using:

  • grep -r "overflow when adding duration to instant" /var/log/
  • journalctl -u your-libp2p-service | grep "overflow when adding duration to instant"

Additionally, network packet capture tools like tcpdump or Wireshark can be used to capture and analyze libp2p traffic to identify PRUNE control messages with suspicious backoff values.

Mitigation Strategies

The immediate mitigation step is to upgrade the libp2p-rust Gossipsub implementation to version 0.49.4 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider monitoring and filtering incoming PRUNE control messages to detect and block those with abnormally large backoff values to prevent triggering the overflow.

Also, monitor system logs for panic events related to this issue to quickly identify exploitation attempts.

Compliance Impact

The vulnerability causes a remote denial-of-service (DoS) by crashing the target node, impacting availability. However, it does not affect confidentiality or integrity of data.

Since the issue impacts availability but not confidentiality or integrity, it may have implications for compliance with standards that require system availability, such as HIPAA's availability requirements for protected health information systems.

There is no direct information indicating an impact on personal data confidentiality or privacy regulations like GDPR.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34219. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart