CVE-2026-35405 Overview
CVE-2026-35405 is a resource exhaustion vulnerability in libp2p-rust, the official Rust language implementation of the libp2p networking stack. Prior to version 0.17.1, the libp2p-rendezvous server component lacks any limit on the number of namespaces a single peer can register. This missing allocation limit allows malicious actors to exhaust server memory by continuously registering unique namespaces, ultimately causing an out-of-memory (OOM) condition that terminates the server process.
Critical Impact
Unauthenticated remote attackers can cause denial of service by exhausting server memory through unlimited namespace registrations, potentially disrupting entire libp2p-based decentralized networks.
Affected Products
- libp2p-rust versions prior to 0.17.1
- libp2p-rendezvous server component
- Applications built on vulnerable libp2p-rust versions
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35405 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35405
Vulnerability Analysis
This vulnerability falls under CWE-770 (Allocation of Resources Without Limits or Throttling). The libp2p-rendezvous server is designed to facilitate peer discovery in decentralized networks by allowing peers to register under namespaces. However, the implementation prior to version 0.17.1 fails to enforce any restrictions on namespace registration, creating a critical resource exhaustion vector.
When a peer connects to the rendezvous server, it can register itself under arbitrary namespaces without any rate limiting or quota enforcement. The server allocates memory for each registration without any pushback mechanism. An attacker can exploit this by rapidly registering unique namespaces in a loop, causing the server to continuously allocate memory until the system's available memory is exhausted.
The attack surface is amplified when multiple sybil peers (fake identities controlled by the same attacker) are used simultaneously, accelerating the memory exhaustion process. Since the vulnerability is exploitable over the network without authentication, any peer capable of connecting to a vulnerable rendezvous server can trigger the denial of service condition.
Root Cause
The root cause of this vulnerability is the absence of resource allocation controls in the namespace registration handler. The server implementation does not implement:
- Per-peer namespace registration limits
- Global namespace count restrictions
- Memory allocation budgets for registration data
- Rate limiting on registration requests
This oversight allows unbounded memory allocation based on untrusted peer input, violating the principle of defensive resource management in network-facing services.
Attack Vector
The attack exploits the network-accessible rendezvous server registration endpoint. An attacker performs the following steps:
- Establishes a connection to the target libp2p-rendezvous server
- Generates unique namespace strings in a continuous loop
- Sends registration requests for each unique namespace
- The server accepts and stores each registration, allocating memory
- Memory consumption grows until the server process is OOM-killed
The attack requires no authentication and can be executed remotely. The vulnerability is particularly concerning because libp2p-based systems often rely on rendezvous servers for critical peer discovery functionality, meaning a successful attack can disrupt entire decentralized networks.
For technical implementation details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35405
Indicators of Compromise
- Abnormally high memory consumption on systems running libp2p-rendezvous servers
- Rapid growth in registered namespace count from single or few peer identities
- OOM-killer events in system logs targeting rendezvous server processes
- Unusual patterns of registration requests from the same peer addresses
Detection Strategies
- Monitor memory usage trends on rendezvous server hosts and alert on unusual growth patterns
- Implement logging for namespace registration events and track per-peer registration counts
- Deploy application-level metrics to track total registered namespaces over time
- Configure system-level memory monitoring with alerting thresholds
Monitoring Recommendations
- Set up resource monitoring dashboards for libp2p-rendezvous server processes
- Implement log aggregation to detect patterns of excessive registration activity
- Configure alerting for memory pressure events before OOM conditions occur
- Monitor network traffic patterns to identify potential sybil attack sources
How to Mitigate CVE-2026-35405
Immediate Actions Required
- Upgrade libp2p-rust to version 0.17.1 or later immediately
- Audit all applications using libp2p-rendezvous server components for vulnerable versions
- Consider temporarily restricting network access to rendezvous servers until patching is complete
- Implement external rate limiting at the network layer as an interim measure
Patch Information
The vulnerability is fixed in libp2p-rust version 0.17.1. The patch introduces limits on namespace registrations per peer, preventing the resource exhaustion attack vector. Organizations should update their dependencies to the patched version through their package manager.
For detailed patch information and release notes, see the GitHub Security Advisory.
Workarounds
- Deploy network-level rate limiting to restrict registration request frequency per IP or peer
- Configure container or process memory limits to prevent system-wide impact from OOM conditions
- Implement external monitoring to automatically restart the rendezvous server process if memory thresholds are exceeded
- Consider using network access controls to limit which peers can connect to rendezvous servers
# Example: Setting process memory limits using systemd
# Add to the service unit file for the rendezvous server
[Service]
MemoryMax=2G
MemoryHigh=1.5G
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
