{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33040", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T18:10:50.210Z", "datePublished": "2026-03-20T05:46:42.276Z", "dateUpdated": "2026-03-20T05:46:42.276Z"}, "containers": {"cna": {"title": "libp2p-rust: Gossipsub PRUNE.backoff Duration Overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"}], "affected": [{"vendor": "libp2p", "product": "rust-libp2p", "versions": [{"version": "< 0.49.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T05:46:42.276Z"}, "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."}], "source": {"advisory": "GHSA-gc42-3jg7-rxr2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3."}], "id": "CVE-2026-33040", "lastModified": "2026-03-20T06:16:12.330", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T06:16:12.330", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.49.3)"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 84.0, "source": "matching"}]}, "original": {"product": "rust-libp2p", "source": "cna", "vendor": "libp2p"}, "product": "libp2p", "vendor": "libp2p"}], "analysis": {"en": {"generated_at": "2026-03-20T07:21:19.930475+00:00", "value": {"mitigation_remediation": ["Update to libp2p\u2011rust 0.49.3 or later", "Verify that the updated version no longer crashes when receiving PRUNE messages"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affects libp2p:rust\u2011libp2p. All versions before 0.49.3 are vulnerable. The fix was introduced in 0.49.3. Any application that exposes a libp2p Gossipsub listener and uses the backoff-handling code path is impacted. No other products are listed.", "description_and_impact": "libp2p-rust is the Rust implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub component accepts PRUNE control messages from remote peers even when the backoff value is attacker\u2011controlled. The implementation performs unchecked arithmetic on the backoff duration during the backoff update logic. If an attacker sends a crafted PRUNE message with an extremely large backoff (for example u64::MAX), the subsequent duration calculation overflows. The overflow triggers a panic in the networking state machine, causing the entire application to crash. This results in a denial of service condition. The flaw is a classic integer overflow (CWE\u2011190).", "risk_and_exploitability": "The CVSS score of 8.7 indicates high severity. No EPSS score is available, so the exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote and does not require authentication; an attacker can simply connect to the libp2p service port, send a malicious PRUNE message, and trigger a crash. The attack can be repeated by reconnecting and replaying the message, enabling continuous denial of service."}}}}, "created": "2026-03-20T08:52:24.175161+00:00", "updated": "2026-03-20T10:37:05.497842+00:00", "vendors": ["libp2p", "libp2p$PRODUCT$libp2p"]}