CVE-2026-35405 (GCVE-0-2026-35405)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:21 – Updated: 2026-04-09 17:44
VLAI?
Title
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| libp2p | rust-libp2p |
Affected:
< 0.17.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35405",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T17:44:02.373442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:44:08.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rust-libp2p",
"vendor": "libp2p",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:21:15.377Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"source": {
"advisory": "GHSA-cqfx-gf56-8x59",
"discovery": "UNKNOWN"
},
"title": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35405",
"datePublished": "2026-04-07T14:21:15.377Z",
"dateReserved": "2026-04-02T17:03:42.075Z",
"dateUpdated": "2026-04-09T17:44:08.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-35405\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-07T15:17:43.367\",\"lastModified\":\"2026-04-09T18:17:01.273\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-770\", \"lang\": \"en\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59\"}], \"affected\": [{\"vendor\": \"libp2p\", \"product\": \"rust-libp2p\", \"versions\": [{\"version\": \"\u003c 0.17.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-07T14:21:15.377Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.\"}], \"source\": {\"advisory\": \"GHSA-cqfx-gf56-8x59\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35405\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-09T17:44:02.373442Z\"}}}], \"references\": [{\"url\": \"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-09T17:43:54.490Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2026-35405\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-02T17:03:42.075Z\", \"datePublished\": \"2026-04-07T14:21:15.377Z\", \"dateUpdated\": \"2026-04-09T17:44:08.836Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-CQFX-GF56-8X59
Vulnerability from github – Published: 2026-04-04 06:33 – Updated: 2026-04-07 19:59
VLAI?
Summary
libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers
Details
Summary
Thelibp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register unique namespaces in a loop, and the server accepts the requests, allocating memory for each registration without pushback. If an attacker continues submitting malicous requests for long enough, (or with multiple sybil peers) the server process crashes due to OOM.
No auth is required; therefore, any peer on the network can do this.
Details
the bug is in Registrations::add() inside protocols/rendezvous/src/server.rs.
the store uses a BiMap keyed on (PeerId, Namespace) so yes, a peer can't register the same namespace twice. but there's nothing stopping it from registering 10,000 different namespaces. each unique one gets its own entry in:
registrations_for_peer(BiMap)registrations(HashMap)next_expiry(FuturesUnordered a new heap-allocated BoxFuture per registration)
namespace strings are only validated for length (MAX_NAMESPACE = 255), not count. there's no max_registrations_per_peer anywhere in Config or the rest of the codebase.
making it worse MAX_TTL = 72 hours. so every registration just sits there for up to 3 days. disconnecting doesn't clean anything up either, entries only go away when the TTL fires.
protocols/rendezvous/src/server.rs
└── Registrations::add() ← no per-peer count check anywhere
protocols/rendezvous/src/lib.rs
├── MAX_NAMESPACE = 255 ← length capped, count is not
└── MAX_TTL = 72h ← entries persist a long time
fix would be adding something like max_registrations_per_peer to Config and checking it at the top of add() before inserting anything.
PoC
tested on libp2p v0.56.1, built from source.
step 1 - start the rendezvous server (uses the example from the repo):
cargo run --manifest-path examples/rendezvous/Cargo.toml --bin rendezvous-example
step 2 - run the flood client (attached as rzv-flood.rs):
cargo run --manifest-path examples/rendezvous/Cargo.toml --bin rzv-flood
it connects as a single peer and registers 10,000 unique namespaces (flood-00000000 through flood-00009999), chaining each registration on the confirmed Registered event from the previous one.
server accepted every single one. not one rejection.
memory on the server side (via ps aux RSS column):
baseline: ~18 MB
mid flood: ~26 MB
after 10k regs: ~28 MB
that's from one peer. scale to 100 sybil peers doing the same thing and you're looking at ~1GB. 1000 peers and the server is dead.
server RSS climbing during the flood
10,000 registrations confirmed, zero rejected
Impact
any node running libp2p-rendezvous server-side is affected. rendezvous servers are typically well-known, publicly reachable nodes taking one down disrupts peer discovery for all clients depending on it. any rust-libp2p based project that deploys a rendezvous point is at risk.
no special position on the network needed. no crypto work. just open a connection and send REGISTER in a loop.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "libp2p-rendezvous"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-35405"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-04T06:33:46Z",
"nvd_published_at": "2026-04-07T15:17:43Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe`libp2p-rendezvous` server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register unique namespaces in a loop, and the server accepts the requests, allocating memory for each registration without pushback. If an attacker continues submitting malicous requests for long enough, (or with multiple sybil peers) the server process crashes due to OOM.\n\nNo auth is required; therefore, any peer on the network can do this.\n\n\n\n### Details\n\nthe bug is in `Registrations::add()` inside `protocols/rendezvous/src/server.rs`.\n\nthe store uses a BiMap keyed on `(PeerId, Namespace)` so yes, a peer can\u0027t register the *same* namespace twice. but there\u0027s nothing stopping it from registering 10,000 *different* namespaces. each unique one gets its own entry in:\n\n- `registrations_for_peer` (BiMap)\n- `registrations` (HashMap)\n- `next_expiry` (FuturesUnordered a new heap-allocated BoxFuture per registration)\n\nnamespace strings are only validated for length (`MAX_NAMESPACE = 255`), not count. there\u0027s no `max_registrations_per_peer` anywhere in `Config` or the rest of the codebase.\n\nmaking it worse `MAX_TTL = 72 hours`. so every registration just sits there for up to 3 days. disconnecting doesn\u0027t clean anything up either, entries only go away when the TTL fires.\n\n```\nprotocols/rendezvous/src/server.rs\n \u2514\u2500\u2500 Registrations::add() \u2190 no per-peer count check anywhere\n\nprotocols/rendezvous/src/lib.rs\n \u251c\u2500\u2500 MAX_NAMESPACE = 255 \u2190 length capped, count is not\n \u2514\u2500\u2500 MAX_TTL = 72h \u2190 entries persist a long time\n```\n\nfix would be adding something like `max_registrations_per_peer` to `Config` and checking it at the top of `add()` before inserting anything.\n\n\n\n### PoC\n\ntested on `libp2p v0.56.1`, built from source.\n\n**step 1** - start the rendezvous server (uses the example from the repo):\n```bash\ncargo run --manifest-path examples/rendezvous/Cargo.toml --bin rendezvous-example\n```\n\n**step 2** - run the flood client (attached as `rzv-flood.rs`):\n```bash\ncargo run --manifest-path examples/rendezvous/Cargo.toml --bin rzv-flood\n```\n\nit connects as a single peer and registers 10,000 unique namespaces (`flood-00000000` through `flood-00009999`), chaining each registration on the confirmed `Registered` event from the previous one.\n\nserver accepted every single one. not one rejection.\n\nmemory on the server side (via `ps aux` RSS column):\n\n```\nbaseline: ~18 MB\nmid flood: ~26 MB \nafter 10k regs: ~28 MB\n```\n\nthat\u0027s from one peer. scale to 100 sybil peers doing the same thing and you\u0027re looking at ~1GB. 1000 peers and the server is dead.\n\n\u003cimg width=\"1032\" height=\"124\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f778f179-2aa1-4485-940c-25e218733fa8\" /\u003e\n\n*server RSS climbing during the flood*\n\n\u003cimg width=\"553\" height=\"760\" alt=\"image\" src=\"https://github.com/user-attachments/assets/691b0f52-dda0-443f-a3c2-98c8c6336f2f\" /\u003e\n\n*10,000 registrations confirmed, zero rejected*\n\n\n\n### Impact\n\nany node running libp2p-rendezvous server-side is affected. rendezvous servers are typically well-known, publicly reachable nodes taking one down disrupts peer discovery for all clients depending on it. any rust-libp2p based project that deploys a rendezvous point is at risk.\n\nno special position on the network needed. no crypto work. just open a connection and send REGISTER in a loop.",
"id": "GHSA-cqfx-gf56-8x59",
"modified": "2026-04-07T19:59:36Z",
"published": "2026-04-04T06:33:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35405"
},
{
"type": "PACKAGE",
"url": "https://github.com/libp2p/rust-libp2p"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers"
}
FKIE_CVE-2026-35405
Vulnerability from fkie_nvd - Published: 2026-04-07 15:17 - Updated: 2026-04-09 18:17
Severity ?
Summary
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1."
}
],
"id": "CVE-2026-35405",
"lastModified": "2026-04-09T18:17:01.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-04-07T15:17:43.367",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…