CVE-2026-34219

Name of the Vulnerable Software and Affected Versions libp2p-rust versions prior to 0.49.4

Description The libp2p-rust Gossipsub implementation has a flaw where a crafted PRUNE control message with a near-maximum backoff value can cause a panic due to unchecked Instant + Duration arithmetic during backoff expiry handling. This occurs when the backoff time and slack are added together, leading to an overflow. The issue is reachable from any Gossipsub peer using standard TCP + Noise + mplex/yamux connectivity and requires no authentication beyond establishing a protocol peer connection. An attacker can exploit this by sending a crafted PRUNE control message containing a large backoff value. The value is initially stored using checked addition, but the subsequent unchecked addition during heartbeat processing causes the overflow and panic. This results in a remote, unauthenticated denial of service. The vulnerability is distinct from CVE-2026-33040, which addressed a different overflow during backoff insertion.

Recommendations Versions prior to 0.49.4 should be updated to version 0.49.4 or later.