CVE-2026-35405
Received Received - Intake
Unrestricted Namespace Registration in libp2p-rust Causes OOM

Publication date: 2026-04-07

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35405
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
protocol libp2p to 0.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-35405 is a denial-of-service (DoS) vulnerability in the libp2p-rendezvous Rust library versions prior to 0.17.1. The vulnerability exists because the rendezvous server does not limit how many unique namespaces a single peer can register.

A malicious peer can repeatedly register unique namespaces in a loop, and the server will accept each registration, allocating memory for every one without any restriction. Since each registration consumes memory and persists for up to 72 hours, this can cause the server's memory usage to grow uncontrollably.

Eventually, this leads to the server running out of memory and being killed by the operating system (OOM killed), causing a denial of service. This attack requires no special privileges or authentication and can be performed by simply opening a connection and sending REGISTER requests.

Impact Analysis

This vulnerability can cause a denial of service on any rust-libp2p-based project running a rendezvous server by exhausting the server's memory resources.

  • A malicious peer can register tens of thousands of unique namespaces, causing the server to allocate excessive memory.
  • The server process can be terminated by the operating system due to out-of-memory conditions, leading to service unavailability.
  • Multiple malicious or sybil peers can amplify the attack, potentially consuming gigabytes of memory and causing widespread disruption.

Overall, this results in high impact on availability of the rendezvous server, which is critical for peer discovery in libp2p networks.

Detection Guidance

This vulnerability can be detected by monitoring the libp2p-rendezvous server for unusually high memory usage and an excessive number of unique namespace registrations from a single peer or multiple peers.

Since the attack involves a peer repeatedly sending REGISTER requests with unique namespaces, network traffic analysis can help identify such behavior by capturing and inspecting REGISTER messages.

Commands to detect this might include:

  • Using system monitoring tools like 'top' or 'htop' to observe memory usage spikes of the rendezvous server process.
  • Using 'netstat' or 'ss' to check for a large number of connections to the rendezvous server.
  • Using packet capture tools like 'tcpdump' or 'wireshark' to filter and analyze REGISTER requests to the rendezvous server port.
  • If the server logs registrations, reviewing logs for peers registering tens of thousands of unique namespaces.
Mitigation Strategies

The immediate mitigation step is to upgrade the libp2p-rust rendezvous server to version 0.17.1 or later, where the vulnerability is fixed by enforcing a configurable maximum number of registrations per peer.

Until the upgrade can be applied, consider implementing network-level protections such as rate limiting or connection limiting to reduce the impact of malicious peers registering excessive namespaces.

Additionally, monitoring and alerting on abnormal memory usage or excessive registration activity can help detect and respond to ongoing attacks.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart