CVE-2026-35405
Last modified
CVE-2026-35405 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Protocol | Libp2p | < 0.17.1 |
References
- https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59Exploit, Vendor Advisory
- https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-35405?
How severe is CVE-2026-35405?
How do I fix CVE-2026-35405?
Are you affected by CVE-2026-35405?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST