CVE-2026-33040

Name of the Vulnerable Software and Affected Versions libp2p-rust versions prior to 0.49.3

Description The libp2p-rust Gossipsub implementation is susceptible to a remote, unauthenticated denial-of-service condition. The implementation accepts attacker-controlled PRUNE backoff values and performs unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff value, such as u64::MAX, can cause a Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This can be exploited by an attacker establishing a libp2p Gossipsub session with a target node by sending a single crafted PRUNE control message. The attack can be repeated by reconnecting and replaying the crafted control message. The API Endpoint involved is the Gossipsub stream. The vulnerable parameter is the backoff value within the ControlPrune protobuf RPC.

Recommendations Upgrade to version 0.49.3 or later.