CVE-2026-35457
Published: 07 April 2026
Summary
CVE-2026-35457 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Protocol Libp2P. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-5 requires denial-of-service protections such as rate limiting and resource throttling to prevent unauthenticated peers from causing unbounded memory growth via repeated DISCOVER requests.
SC-6 mandates controls to protect system resources like memory from unauthorized consumption, directly countering the unbounded storage of pagination cookies.
SI-2 ensures timely identification, reporting, and correction of flaws like the CWE-770 unbounded allocation in libp2p-rust by applying patches such as upgrading to version 0.17.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of the rendezvous server to cause application resource exhaustion and denial of service via repeated protocol requests.
NVD Description
libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed…
more
in 0.17.1.
Deeper analysisAI
CVE-2026-35457 affects libp2p-rust, the official Rust language implementation of the libp2p networking stack. Prior to version 0.17.1, the rendezvous server component stores pagination cookies without bounds, enabling unbounded memory growth. This flaw, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating high severity primarily due to availability impact.
An unauthenticated peer can exploit this vulnerability over the network with low complexity and no user interaction required. By repeatedly issuing DISCOVER requests to the rendezvous server, the attacker triggers continuous storage of pagination cookies, leading to unbounded memory consumption and potential denial-of-service through resource exhaustion on the targeted system.
The GitHub security advisory at https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7 details the issue and confirms mitigation by upgrading to libp2p-rust version 0.17.1 or later, where bounds checking on pagination cookie storage has been implemented to prevent memory growth abuse.
Details
- CWE(s)