CVE-2026-33040
Published: 20 March 2026
Summary
CVE-2026-33040 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Protocol Libp2P-Gossipsub. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely identification, testing, and patching of the integer overflow flaw in libp2p-rust Gossipsub to version 0.49.3.
Prevents exploitation by enforcing validation of attacker-controlled PRUNE backoff values to reject excessively large inputs that cause Duration/Instant overflow.
Implements denial-of-service protections at the libp2p Gossipsub listener to limit or block repeated crafted PRUNE messages that trigger networking state machine panics.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote integer overflow in Gossipsub PRUNE handling triggers application panic/crash, directly enabling Endpoint Denial of Service via Application or System Exploitation (T1499.004).
NVD Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. In versions prior to 0.49.3, the Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control…
more
message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication. Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message. This issue has been fixed in version 0.49.3.
Deeper analysisAI
CVE-2026-33040 is a vulnerability in the Gossipsub implementation of libp2p-rust, the official Rust language implementation of the libp2p networking stack. In versions prior to 0.49.3, the code accepts attacker-controlled PRUNE backoff values and performs unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff, such as u64::MAX, can cause a Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-190 (Integer Overflow or Wraparound).
The vulnerability is remotely exploitable over a normal libp2p connection and does not require authentication. A network attacker who can reach the service port of any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can crash the application by sending the crafted PRUNE message. The attack is repeatable, as the attacker can reconnect and replay the message to sustain denial of service.
The issue has been addressed in libp2p-rust version 0.49.3. Additional details on the vulnerability and patch are available in the GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2.
Details
- CWE(s)