CVE-2026-35457
Unbounded Memory Growth in libp2p-rust Rendezvous Server
Publication date: 2026-04-07
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| protocol | libp2p | to 0.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35457 is a high-severity vulnerability in the Rust libp2p-rendezvous package versions prior to 0.17.1. The issue occurs because the rendezvous server stores pagination cookies in an unbounded HashMap without any limit or eviction policy.
An unauthenticated remote peer can repeatedly send DISCOVER requests, causing the server to generate and store new cookies indefinitely. This leads to unbounded memory growth on the server, potentially exhausting its memory resources.
The vulnerability can be exploited remotely over the network with low complexity, requires no privileges or user interaction, and primarily impacts the availability of the rendezvous server by enabling remote memory exhaustion attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to cause unbounded memory growth on the rendezvous server, potentially leading to memory exhaustion.
As a result, the server's availability can be severely degraded or it may crash, disrupting services that rely on the libp2p-rendezvous server for networking.
The attack does not affect confidentiality and has only a low impact on data integrity, but it has a high impact on availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded memory growth on the libp2p-rust rendezvous server caused by repeated DISCOVER requests generating pagination cookies without limits.
To detect exploitation attempts on your network or system, monitor for unusually high or repeated DISCOVER requests to the rendezvous server from unauthenticated peers.
You can use network monitoring tools or packet capture utilities to filter and observe such traffic. For example, using tcpdump or tshark to capture and analyze DISCOVER messages targeting the rendezvous server port.
- tcpdump -i <interface> 'tcp port <rendezvous_server_port> and tcp[((tcp[12:1] & 0xf0) >> 2):4] = <DISCOVER_message_signature>' -w capture.pcap
- tshark -r capture.pcap -Y 'libp2p.rendezvous.discover' -T fields -e ip.src -e ip.dst -e libp2p.message_type
Additionally, monitor the memory usage of the rendezvous server process for unexpected growth, which may indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the libp2p-rust rendezvous server to version 0.17.1 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, consider implementing rate limiting or per-peer quotas to restrict the number of DISCOVER requests and cookie creations from unauthenticated peers.
Other mitigations include applying a global cap on stored pagination cookies with eviction policies such as FIFO or expiry-aware eviction to prevent unbounded memory growth.
Using stateless cookies that encode pagination state within authenticated cookies can also eliminate server-side state storage, though this requires more complex implementation.