Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35457 is a high-severity vulnerability in the Rust libp2p-rendezvous package versions prior to 0.17.1. The issue occurs because the rendezvous server stores pagination cookies in an unbounded HashMap without any limit or eviction policy.

An unauthenticated remote peer can repeatedly send DISCOVER requests, causing the server to generate and store new cookies indefinitely. This leads to unbounded memory growth on the server, potentially exhausting its memory resources.

The vulnerability can be exploited remotely over the network with low complexity, requires no privileges or user interaction, and primarily impacts the availability of the rendezvous server by enabling remote memory exhaustion attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to cause unbounded memory growth on the rendezvous server, potentially leading to memory exhaustion.

As a result, the server's availability can be severely degraded or it may crash, disrupting services that rely on the libp2p-rendezvous server for networking.

The attack does not affect confidentiality and has only a low impact on data integrity, but it has a high impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unbounded memory growth on the libp2p-rust rendezvous server caused by repeated DISCOVER requests generating pagination cookies without limits.

To detect exploitation attempts on your network or system, monitor for unusually high or repeated DISCOVER requests to the rendezvous server from unauthenticated peers.

You can use network monitoring tools or packet capture utilities to filter and observe such traffic. For example, using tcpdump or tshark to capture and analyze DISCOVER messages targeting the rendezvous server port.

• tcpdump -i <interface> 'tcp port <rendezvous_server_port> and tcp[((tcp[12:1] & 0xf0) >> 2):4] = <DISCOVER_message_signature>' -w capture.pcap
• tshark -r capture.pcap -Y 'libp2p.rendezvous.discover' -T fields -e ip.src -e ip.dst -e libp2p.message_type

Additionally, monitor the memory usage of the rendezvous server process for unexpected growth, which may indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the libp2p-rust rendezvous server to version 0.17.1 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, consider implementing rate limiting or per-peer quotas to restrict the number of DISCOVER requests and cookie creations from unauthenticated peers.

Other mitigations include applying a global cap on stored pagination cookies with eviction policies such as FIFO or expiry-aware eviction to prevent unbounded memory growth.

Using stateless cookies that encode pagination state within authenticated cookies can also eliminate server-side state storage, though this requires more complex implementation.

Useful 0 Not Useful 0