libp2p-rust Gossipsub PRUNE Backoff Flaws Enable Remote DoS
Two high-severity flaws in the Rust implementation of libp2p allow remote peers to crash applications using the Gossipsub protocol by sending crafted PRUNE control messages with extremely large backoff values. CVE-2026-33040 affects versions prior to 0.49.3, where unchecked time arithmetic in the networking state machine can panic and cause a denial of service, while CVE-2026-34219 affects versions prior to 0.49.4 through improper backoff expiry handling that triggers an Instant + Duration integer overflow during heartbeat processing.
The bugs are reachable over normal Gossipsub peer connectivity, including TCP sessions using Noise with mplex or yamux, and do not require traditional authentication beyond establishing a protocol peer relationship. Both issues are classified under CWE-190 for integer overflow, with the newer advisory also citing CWE-617, and both primarily impact availability by enabling unauthenticated or minimally authenticated remote attackers to force panics in exposed services. Maintainers patched the issues in libp2p-rust versions 0.49.3 and 0.49.4, respectively.
Timeline
Mar 31, 2026
libp2p-rust fixes CVE-2026-34219 in version 0.49.4
A second Gossipsub denial-of-service flaw involving improper backoff expiry handling and unchecked Instant-plus-Duration arithmetic was patched in libp2p-rust version 0.49.4. The issue affected versions prior to 0.49.4 and could be triggered by a crafted PRUNE control message from a reachable peer.
Mar 20, 2026
libp2p-rust fixes CVE-2026-33040 in version 0.49.3
A denial-of-service vulnerability in the Rust libp2p Gossipsub implementation, caused by unchecked time arithmetic on a crafted PRUNE backoff value, was fixed in libp2p-rust version 0.49.3. The flaw affected versions prior to 0.49.3 and allowed a remote unauthenticated attacker to trigger a panic.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in **rust-openssl**, the Rust bindings for OpenSSL, affecting multiple `0.9.x` and `0.10.x` releases prior to **`0.10.78`**. **`CVE-2026-41898`** affects versions from `0.9.24` up to, but not including, `0.10.78`, where several FFI trampoline callback paths passed a closure-returned `usize` to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to **`CWE-126`** and **`CWE-130`**. A second issue, **`CVE-2026-41681`**, affects versions from `0.10.39` up to, but not including, `0.10.78`, in `MdCtxRef::digest_final()`, which writes `EVP_MD_CTX_size(ctx)` bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as **`CWE-121`**. Both vulnerabilities were addressed in **`rust-openssl 0.10.78`**, with public advisories, code references, and fix details released alongside the CVE records.
1 weeks ago
High-Severity Buffer Overflows Disclosed in PJSIP Audio and Authentication Code
Two high-severity vulnerabilities were disclosed in **PJSIP** affecting version `2.16` and earlier, exposing the widely used multimedia communication library to memory corruption risks. `CVE-2026-40614` is a **heap buffer overflow** in the Opus codec decode path, where insufficient validation of buffer sizes allows `codec_decode()` to copy more data than allocated after `codec_parse()` emits encoded frames larger than the FEC decode buffer calculation anticipates. The flaw is tied to unchecked `pj_memcpy()` operations and was classified as `CWE-122`, with high potential impact to confidentiality, integrity, and availability. A second issue, `CVE-2026-40892`, is a **stack buffer overflow** in `pjsip_auth_create_digest2()` when pre-computed digest credentials are supplied through `PJSIP_CRED_DATA_DIGEST`. In that path, credential data is copied using `cred_info->data.slen` without enforcing the expected digest-length limit, allowing overflow of the fixed 128-byte `ha1` stack buffer. The vulnerability was classified as `CWE-121`, and both CVEs were published with GitHub advisory references and fixing commits, indicating that maintainers have issued patches for affected deployments.
1 weeks ago
Bandit WebSocket flaws allow unauthenticated memory exhaustion
Two high-severity denial-of-service vulnerabilities have been disclosed in **mtrudel Bandit** that let unauthenticated remote attackers exhaust server memory through WebSocket handling. `CVE-2026-42786` affects Bandit versions `0.5.0` before `1.11.0` and stems from unbounded accumulation of fragmented WebSocket continuation frames in `Elixir.Bandit.WebSocket.Connection.handle_frame/3`; Bandit appends fragments to a per-connection iolist without any cumulative size limit, so an attacker can keep sending `fin: false` frames until the BEAM node runs out of memory. The issue occurs before `WebSock.handle_in/2` is reached, preventing application-level checks from stopping the buildup, and it can expose Phoenix Channels and LiveView deployments that accept socket connections. A second flaw, `CVE-2026-39804`, affects Bandit versions `0.5.9` before `1.11.0` and is caused by unbounded decompression in `Elixir.Bandit.WebSocket.PerMessageDeflate:inflate/2`, where `:zlib.inflate/2` is used without an output-size cap before the payload is converted into a single binary. A small compressed WebSocket frame can therefore trigger massive memory allocation and potentially an out-of-memory kill before application code executes. This issue is limited to deployments that enable WebSocket compression at both the Bandit server level (`websocket_options.compress`) and during upgrade (`compress: true` in `WebSockAdapter.upgrade/4`); stock Phoenix and LiveView defaults are reported as unaffected because compression is disabled by default.
Yesterday