Unbounded Memory Growth in libp2p Networking Stack by libp2p-rust
CVE-2026-35457

8.2HIGH

Key Information:

Vendor: Libp2p
Status: Rust-libp2p
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-35457?

The libp2p-rust implementation of the libp2p networking stack is vulnerable due to the rendezvous server storing pagination cookies without limits. This oversight allows unauthenticated peers to issue repeated DISCOVER requests, leading to uncontrolled memory usage. This issue has been resolved in version 0.17.1, which introduces mechanisms to prevent memory bloat and ensure stable performance.

Affected Version(s)

rust-libp2p < 0.17.1

References

https://github.com/libp2p/rust-libp2p/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35457 Data

JSON

Libp2p

What is CVE-2026-35457?

Affected Version(s)

References

CVSS V3.1

Timeline