CVE-2026-35457

CVSS v3.1

8.2

High

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

Details

Pagination state is stored in:

HashMap<Cookie, HashSet<RegistrationId>>

On Message::Discover:

remote peer
→ DISCOVER
→ handle request
→ registrations.get(...)
→ new cookie generated
→ cookie inserted into Registrations::cookies

There is no upper bound or eviction policy, so repeated DISCOVER requests grow this map indefinitely.

PoC

A reproduction test and minimal harness will be provided in a private fork in a follow-up comment.

Impact

Remote state amplification leading to memory exhaustion.

Properties:

etwork reachable
no authentication required
low attack complexity
protocol-compliant traffic

Impacts rendezvous nodes exposed to untrusted peers.

Possible Fixes

Global cap + eviction

Bound cookie storage (MAX COOKIES TRACKED) with FIFO/expiry aware eviction. Tradeoff: attacker can churn cookies and evict legitimate pagination state.

Stateless cookies

Encode pagination state in authenticated cookies instead of storing server-side state. Tradeoff: more complex implementation.

Rate limiting / per-peer quotas

Limit cookie creation per peer. Tradeoff: requires peer tracking.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770

Related Identifiers

CVE-2026-35457

GHSA-V5HW-CV9C-RPG7

Affected Products

Libp2P-Rendezvous

CVE-2026-35457

Summary

Details

PoC

Impact

Impacts rendezvous nodes exposed to untrusted peers.

Possible Fixes

Weakness Enumeration

Related Identifiers

Affected Products

References · 3