CVE-2026-35405
Published: 07 April 2026
Summary
CVE-2026-35405 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Protocol Libp2P. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates resource exhaustion DoS by implementing limits, throttling, or blocking mechanisms against unbounded namespace registrations from malicious peers.
Protects memory and processing resource availability by enforcing quotas and allocation limits per peer to prevent OOM kills from repeated registrations.
Restricts the volume, frequency, or type of namespace registration inputs to prevent malicious peers from triggering unbounded memory allocations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the libp2p-rendezvous server enables direct exploitation of an unbounded resource allocation flaw to cause application-level denial of service via OOM, matching T1499.004 Application or System Exploitation.
NVD Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a…
more
loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed. This vulnerability is fixed in 0.17.1.
Deeper analysisAI
CVE-2026-35405 affects libp2p-rust, the official Rust language implementation of the libp2p networking stack, specifically versions prior to 0.17.1. The vulnerability resides in the libp2p-rendezvous server, which imposes no limits on the number of namespaces a single peer can register. This allows unbounded memory allocation for each registration, as the server accepts registrations without any throttling or pushback, potentially leading to resource exhaustion mapped to CWE-770 (Allocation of Resources Without Limits or Throttling). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption.
Any network-accessible malicious peer can exploit this vulnerability without authentication or user interaction by repeatedly registering unique namespaces in a loop. Attackers can amplify the impact using multiple sybil identities to accelerate memory consumption, eventually causing the server process to be out-of-memory (OOM) killed and resulting in denial of service.
The GitHub security advisory (GHSA-cqfx-gf56-8x59) confirms the vulnerability is fixed in libp2p-rust version 0.17.1, recommending that users upgrade to this or later versions to mitigate the issue by implementing appropriate registration limits.
Details
- CWE(s)