CVE-2026-34063

Name of the Vulnerable Software and Affected Versions network-libp2p versions prior to 1.3.0

Description Discovery in network-libp2p utilizes a libp2p ConnectionHandler state machine that assumes a maximum of one inbound and one outbound discovery substream per connection. If a remote peer negotiates the discovery protocol substream a second time on the same connection, the handler triggers a panic!("Inbound already connected") or panic!("Outbound already connected") path. This results in a crash of the networking task (swarm), which takes the node's p2p networking offline until a restart occurs.

Recommendations Update to version 1.3.0.