Cyber Resilience

CVE-2026-33040

High

Published: 20 March 2026

Published
20 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33040 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Protocol Libp2P-Gossipsub. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33040 is a vulnerability in the Gossipsub implementation of libp2p-rust, the official Rust language implementation of the libp2p networking stack. In versions prior to 0.49.3, the code accepts attacker-controlled PRUNE backoff values and performs unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff, such as u64::MAX, can cause a Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-190 (Integer Overflow or Wraparound).

The vulnerability is remotely exploitable over a normal libp2p connection and does not require authentication. A network attacker who can reach the service port of any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can crash the application by sending the crafted PRUNE message. The attack is repeatable, as the attacker can reconnect and replay the message to sustain denial of service.

The issue has been addressed in libp2p-rust version 0.49.3. Additional details on the vulnerability and patch are available in the GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2.

EU & UK References

Vulnerability details

libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control…

more

message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote integer overflow in Gossipsub PRUNE handling triggers application panic/crash, directly enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31814Same vendor: Protocol
CVE-2026-35405Same vendor: Protocol
CVE-2026-35457Same vendor: Protocol
CVE-2026-32314Same vendor: Protocol
CVE-2026-33666Shared CWE-190
CVE-2026-24173Shared CWE-190
CVE-2026-24210Shared CWE-190
CVE-2026-35092Shared CWE-190
CVE-2026-28952Shared CWE-190
CVE-2026-33662Shared CWE-190

Affected Assets

protocol
libp2p-gossipsub
≤ 0.49.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely identification, testing, and patching of the integer overflow flaw in libp2p-rust Gossipsub to version 0.49.3.

prevent

Prevents exploitation by enforcing validation of attacker-controlled PRUNE backoff values to reject excessively large inputs that cause Duration/Instant overflow.

prevent

Implements denial-of-service protections at the libp2p Gossipsub listener to limit or block repeated crafted PRUNE messages that trigger networking state machine panics.

References