CVE-2026-33040
Publication date 20 March 2026
Last updated 20 March 2026
Ubuntu priority
Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| rust-libp2p-identity | 25.10 questing |
Needs evaluation
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release |