CVE-2026-35405: libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers

April 4, 2026 (updated June 9, 2026)

found that libp2p-rendezvous server has no limit on how many namespaces a single peer can register. a malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. keep doing this long enough (or with multiple sybil peers) and the server process gets OOM killed.

no auth required. any peer on the network can do this.

References

github.com/advisories/GHSA-cqfx-gf56-8x59
github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59
nvd.nist.gov/vuln/detail/CVE-2026-35405

Code Behaviors & Features

Detect and mitigate CVE-2026-35405 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →