CVE-2026-35457 Overview
CVE-2026-35457 is a resource exhaustion vulnerability affecting libp2p-rust, the official Rust language implementation of the libp2p networking stack. Prior to version 0.17.1, the rendezvous server stores pagination cookies without any bounds checking. This design flaw allows an unauthenticated peer to repeatedly issue DISCOVER requests, forcing unbounded memory growth on the server and potentially leading to a denial of service condition.
Critical Impact
Unauthenticated attackers can exhaust server memory through repeated DISCOVER requests, causing service disruption for legitimate users of libp2p-based peer-to-peer networks.
Affected Products
- libp2p-rust versions prior to 0.17.1
- Applications using the libp2p rendezvous protocol server component
- Peer-to-peer networking applications built on vulnerable libp2p-rust versions
Discovery Timeline
- 2026-04-07 - CVE-2026-35457 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35457
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The libp2p rendezvous protocol enables peer discovery in decentralized networks, allowing peers to register and discover other peers through a central rendezvous point. The vulnerable component is the rendezvous server implementation, which maintains pagination cookies to support paginated DISCOVER responses when there are many registered peers.
The core issue lies in the server's handling of pagination state. When a client initiates a DISCOVER request, the server generates a pagination cookie to track the client's position in the result set. However, prior to version 0.17.1, these cookies were stored without any limits on quantity or lifetime. This architectural weakness enables a straightforward resource exhaustion attack.
Root Cause
The root cause is the absence of resource limits on pagination cookie storage in the rendezvous server. The server implementation failed to implement bounds on the number of cookies that could be stored or any mechanism to expire old cookies. This oversight allows memory consumption to grow indefinitely as new DISCOVER requests create additional pagination state entries.
Attack Vector
The attack can be executed remotely over the network by any unauthenticated peer. An attacker connects to a vulnerable libp2p rendezvous server and sends a continuous stream of DISCOVER requests. Each request causes the server to allocate memory for pagination cookie storage without cleanup. The attacker does not need to complete the pagination sequence or perform any authentication.
The attack is particularly dangerous because:
- No authentication is required to issue DISCOVER requests
- The server allocates resources for each unique request
- Memory is not reclaimed, leading to cumulative exhaustion
- The attack can be sustained with minimal bandwidth from the attacker's side
Detection Methods for CVE-2026-35457
Indicators of Compromise
- Abnormal memory growth on systems running libp2p rendezvous servers
- High volume of DISCOVER requests from single or multiple peer identities
- Server process memory consumption increasing without corresponding legitimate peer activity
- Memory allocation patterns showing unbounded growth in pagination-related data structures
Detection Strategies
- Monitor memory utilization trends for libp2p server processes and alert on sustained growth
- Implement network-level rate limiting for DISCOVER request messages
- Track unique pagination cookie allocations and alert when thresholds are exceeded
- Deploy application performance monitoring to correlate memory spikes with incoming request patterns
Monitoring Recommendations
- Establish baseline memory usage for rendezvous server operations under normal conditions
- Configure alerts for memory consumption exceeding expected thresholds by 150% or more
- Log all DISCOVER requests with source peer identification for forensic analysis
- Implement connection tracking to identify peers sending excessive discovery requests
How to Mitigate CVE-2026-35457
Immediate Actions Required
- Upgrade libp2p-rust to version 0.17.1 or later immediately
- Audit applications using libp2p-rust to identify vulnerable deployments
- Implement network-level rate limiting for discovery protocol messages as a temporary measure
- Monitor server memory utilization closely until patches are applied
Patch Information
The vulnerability is fixed in libp2p-rust version 0.17.1. The patch implements bounds on pagination cookie storage, preventing unbounded memory growth from DISCOVER requests. For detailed information about the fix, refer to the GitHub Security Advisory.
To upgrade, update your Cargo.toml dependency to specify the patched version and rebuild your application.
Workarounds
- Deploy network-level rate limiting on discovery protocol traffic as a temporary mitigation
- Implement external resource monitoring with automatic process restart capabilities when memory thresholds are exceeded
- Consider temporarily disabling the rendezvous server functionality if not critical to operations
- Use firewall rules to restrict which peers can send DISCOVER requests to the server
# Example: Update Cargo.toml to use patched version
# In your Cargo.toml, update the libp2p dependency:
# [dependencies]
# libp2p = "0.17.1"
# Rebuild application with patched dependency
cargo update
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
