CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-34219

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backoff expiry handling. After a peer sends a crafted PRUNE control message with an attacker-controlled, near-maximum backoff value, the value is accepted and stored as an Instant near the representable upper bound. On a later heartbeat, the implementation performs unchecked Instant + Duration arithmetic (backoff_time + slack), which can overflow and panic with: overflow when adding duration to instant. This issue is reachable from any Gossipsub peer over normal TCP + Noise + mplex/yamux connectivity and requires no further authentication beyond becoming a protocol peer. This issue has been patched in version 0.49.4.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 18.9%

CVSS Severity

CVSS v3 Score 5.9

References

https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5

Products affected by CVE-2026-34219

Protocol » Libp2p-Gossipsub » Version: 0.19.2

cpe:2.3:a:protocol:libp2p-gossipsub:0.19.2
Protocol » Libp2p-Gossipsub » Version: 0.19.3

cpe:2.3:a:protocol:libp2p-gossipsub:0.19.3
Protocol » Libp2p-Gossipsub » Version: 0.20.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.20.0
Protocol » Libp2p-Gossipsub » Version: 0.21.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.21.0
Protocol » Libp2p-Gossipsub » Version: 0.22.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.22.0
Protocol » Libp2p-Gossipsub » Version: 0.23.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.23.0
Protocol » Libp2p-Gossipsub » Version: 0.24.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.24.0
Protocol » Libp2p-Gossipsub » Version: 0.25.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.25.0
Protocol » Libp2p-Gossipsub » Version: 0.26.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.26.0
Protocol » Libp2p-Gossipsub » Version: 0.27.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.27.0
Protocol » Libp2p-Gossipsub » Version: 0.28.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.28.0
Protocol » Libp2p-Gossipsub » Version: 0.29.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.29.0
Protocol » Libp2p-Gossipsub » Version: 0.30.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.30.0
Protocol » Libp2p-Gossipsub » Version: 0.30.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.30.1
Protocol » Libp2p-Gossipsub » Version: 0.31.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.31.0
Protocol » Libp2p-Gossipsub » Version: 0.32.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.32.0
Protocol » Libp2p-Gossipsub » Version: 0.33.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.33.0
Protocol » Libp2p-Gossipsub » Version: 0.34.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.34.0
Protocol » Libp2p-Gossipsub » Version: 0.35.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.35.0
Protocol » Libp2p-Gossipsub » Version: 0.36.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.36.0
Protocol » Libp2p-Gossipsub » Version: 0.37.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.37.0
Protocol » Libp2p-Gossipsub » Version: 0.38.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.38.0
Protocol » Libp2p-Gossipsub » Version: 0.38.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.38.1
Protocol » Libp2p-Gossipsub » Version: 0.39.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.39.0
Protocol » Libp2p-Gossipsub » Version: 0.40.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.40.0
Protocol » Libp2p-Gossipsub » Version: 0.41.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.41.0
Protocol » Libp2p-Gossipsub » Version: 0.42.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.42.1
Protocol » Libp2p-Gossipsub » Version: 0.43.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.43.0
Protocol » Libp2p-Gossipsub » Version: 0.44.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.44.0
Protocol » Libp2p-Gossipsub » Version: 0.44.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.44.1
Protocol » Libp2p-Gossipsub » Version: 0.44.2

cpe:2.3:a:protocol:libp2p-gossipsub:0.44.2
Protocol » Libp2p-Gossipsub » Version: 0.44.3

cpe:2.3:a:protocol:libp2p-gossipsub:0.44.3
Protocol » Libp2p-Gossipsub » Version: 0.44.4

cpe:2.3:a:protocol:libp2p-gossipsub:0.44.4
Protocol » Libp2p-Gossipsub » Version: 0.45.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.45.0
Protocol » Libp2p-Gossipsub » Version: 0.45.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.45.1
Protocol » Libp2p-Gossipsub » Version: 0.45.2

cpe:2.3:a:protocol:libp2p-gossipsub:0.45.2
Protocol » Libp2p-Gossipsub » Version: 0.46.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.46.0
Protocol » Libp2p-Gossipsub » Version: 0.46.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.46.1
Protocol » Libp2p-Gossipsub » Version: 0.48.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.48.0
Protocol » Libp2p-Gossipsub » Version: 0.49.0

cpe:2.3:a:protocol:libp2p-gossipsub:0.49.0
Protocol » Libp2p-Gossipsub » Version: 0.49.1

cpe:2.3:a:protocol:libp2p-gossipsub:0.49.1
Protocol » Libp2p-Gossipsub » Version: 0.49.2

cpe:2.3:a:protocol:libp2p-gossipsub:0.49.2
Protocol » Libp2p-Gossipsub » Version: 0.49.3

cpe:2.3:a:protocol:libp2p-gossipsub:0.49.3

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-34219

Products

Pricing

Contact Us