Platform
rust
Component
libp2p-rendezvous
Fixed in
0.17.2
0.17.1
CVE-2026-35457 describes a memory exhaustion vulnerability within the libp2p-rendezvous library. An attacker can repeatedly send DISCOVER requests, causing the rendezvous server to allocate unbounded memory due to a lack of eviction policies for pagination cookies. This can lead to a denial-of-service condition. The vulnerability impacts versions of libp2p-rendezvous before 0.17.1, and a fix is available in that version.
The primary impact of CVE-2026-35457 is a denial-of-service (DoS). An attacker can exploit this vulnerability by repeatedly sending DISCOVER requests to the libp2p-rendezvous server. The server stores pagination cookies in a HashMap without any size limits or eviction policies. Each request generates a new cookie, leading to unbounded memory growth. Eventually, the server will run out of memory, crashing or becoming unresponsive, effectively denying service to legitimate users. This vulnerability doesn't directly lead to data exfiltration or remote code execution, but the DoS can disrupt critical network functions relying on libp2p-rendezvous.
This vulnerability was publicly disclosed on 2026-04-04. A proof-of-concept (PoC) demonstrating the vulnerability is available, indicating a relatively low barrier to exploitation. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns at this time. The CVSS score of 8.2 (HIGH) reflects the potential for significant disruption.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-35457 is to upgrade to version 0.17.1 or later of libp2p-rendezvous. This version includes the necessary fix to limit memory growth. If upgrading immediately is not feasible, consider implementing rate limiting on DISCOVER requests at the network level. This can help prevent an attacker from overwhelming the server with requests. Additionally, monitoring memory usage on the rendezvous server is crucial to detect potential DoS attacks. After upgrading, confirm the fix by sending a series of DISCOVER requests and verifying that memory usage remains within acceptable bounds.
Update to version 0.17.1 or higher of libp2p-rust to mitigate the risk of memory exhaustion. This version fixes the vulnerability by imposing limits on the storage of discovery cookies.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35457 is a HIGH severity vulnerability in libp2p-rendezvous where repeated DISCOVER requests can cause unbounded memory growth, leading to a denial-of-service.
You are affected if you are using a version of libp2p-rendezvous prior to 0.17.1. Assess your dependencies to determine if you are vulnerable.
Upgrade to version 0.17.1 or later of libp2p-rendezvous. If immediate upgrade is not possible, implement rate limiting on DISCOVER requests.
There are currently no reports of active exploitation campaigns, but a PoC is available, indicating potential for exploitation.
Refer to the libp2p project's security advisories and release notes for details: [https://libp2p.io/security/](https://libp2p.io/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.