Platform
rust
Component
libp2p-gossipsub
Fixed in
0.49.5
0.49.4
CVE-2026-34219 describes a remotely exploitable panic vulnerability within the Rust libp2p-gossipsub library. A malicious peer can trigger this panic by sending a specially crafted PRUNE control message with a near-maximum backoff value, leading to an integer overflow during heartbeat processing. This vulnerability affects applications utilizing libp2p-gossipsub versions 0.49.0 through 0.49.3 and is addressed in version 0.49.4.
The vulnerability allows a remote attacker to trigger a denial-of-service (DoS) condition by causing the libp2p-gossipsub peer to panic. This panic can disrupt the peer's operation, potentially leading to network instability and service unavailability. While not a direct code execution vulnerability, the crash can be leveraged to disrupt network communication and potentially impact dependent services. The attacker does not need any special privileges beyond the ability to send messages over the network, making it a relatively easy vulnerability to exploit. The impact is amplified in environments where libp2p-gossipsub is a critical component of the network infrastructure.
This vulnerability was publicly disclosed on 2026-03-30. No known public proof-of-concept (PoC) exploits have been released at the time of writing, but the vulnerability's remote reachability and relatively simple exploitation path suggest a potential for future exploitation. The vulnerability is not currently listed on CISA KEV, but its potential impact warrants monitoring. The vulnerability's reliance on crafted network messages suggests it could be exploited in targeted attacks against systems using libp2p-gossipsub.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34219 is to upgrade to libp2p-gossipsub version 0.49.4 or later. This version includes a fix that prevents the integer overflow. If upgrading is not immediately feasible, consider implementing rate limiting on incoming PRUNE messages to reduce the likelihood of receiving malicious payloads. Network monitoring for unexpected peer disconnections and crashes can also help detect potential exploitation attempts. After upgrading, confirm the fix by sending a crafted PRUNE message with a large backoff value and verifying that the peer does not panic.
Update the rust-libp2p library to version 0.49.4 or higher. This version fixes the arithmetic overflow vulnerability in the backoff expiry handling in Gossipsub. The update prevents potential remote panics caused by manipulated PRUNE messages.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34219 is a vulnerability in the libp2p-gossipsub Rust library where a crafted PRUNE message can trigger an integer overflow and panic, leading to a denial-of-service.
You are affected if you are using libp2p-gossipsub versions 0.49.0 through 0.49.3. Upgrade to 0.49.4 or later to mitigate the risk.
Upgrade to libp2p-gossipsub version 0.49.4 or later. Consider rate limiting PRUNE messages as a temporary workaround.
No active exploitation has been confirmed, but the vulnerability's nature suggests a potential for future exploitation.
Refer to the libp2p project's official communication channels and security advisories for the most up-to-date information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.