CVE-2026-33040

CVE-2026-33040 is a high-severity integer overflow or wraparound vulnerability in libp2p-gossipsub (rust), affecting versions < 0.49.3. It is fixed in 0.49.3.

Summary

The Rust libp2p Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state.
A specially crafted PRUNE control message with an extremely large backoff (e.g. u64::MAX) can lead to Duration/Instant overflow during backoff update logic, triggering a panic in the networking state machine. This is remotely reachable over a normal libp2p connection and does not require authentication.

Attack Scenario

An attacker that can establish a libp2p Gossipsub session with a target node can crash the target by sending a single crafted PRUNE control message:

  1. Establish a standard libp2p transport session and negotiate a stream multiplexer.
  2. Open a Gossipsub stream and negotiate the meshsub protocol.
  3. Send one protobuf RPC containing ControlPrune with a very large backoff value (e.g. 18446744073709551615 / u64::MAX).
    When processed, the oversized backoff can reach time-update logic that adds Duration::from_secs(backoff) to Instant::now(), causing overflow and panic.

Impact

Remote unauthenticated denial of service.
Any application exposing a libp2p Gossipsub listener and using the affected backoff-handling path can be crashed by a network attacker that can reach the service port. The attack can be repeated by reconnecting and replaying the crafted control message.

An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value. Typical impact: incorrect size calculations leading to heap overflows or logic errors.

Affected versions

libp2p-gossipsub (< 0.49.3)

Security releases

libp2p-gossipsub → 0.49.3 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Users should upgrade to a release that hardens Gossipsub backoff handling.

This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program

Frequently Asked Questions

  1. What is CVE-2026-33040? CVE-2026-33040 is a high-severity integer overflow or wraparound vulnerability in libp2p-gossipsub (rust), affecting versions < 0.49.3. It is fixed in 0.49.3. An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value.
  2. Which versions of libp2p-gossipsub are affected by CVE-2026-33040? libp2p-gossipsub (rust) versions < 0.49.3 is affected.
  3. Is there a fix for CVE-2026-33040? Yes. CVE-2026-33040 is fixed in 0.49.3. Upgrade to this version or later.
  4. Is CVE-2026-33040 exploitable, and should I be worried? Whether CVE-2026-33040 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-33040 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-33040? Upgrade libp2p-gossipsub to 0.49.3 or later.

Other vulnerabilities in libp2p-gossipsub

CVE-2026-33040

Stop the waste.
Protect your environment with Kodem.