CVE-2026-35405: libp2p-rendezvous: Unlimited namespace registrations per peer enables OOM DoS on rendezvous servers

April 4, 2026 (updated April 7, 2026)

Thelibp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can repeatedly register unique namespaces in a loop, and the server accepts the requests, allocating memory for each registration without pushback. If an attacker continues submitting malicous requests for long enough, (or with multiple sybil peers) the server process crashes due to OOM.

No auth is required; therefore, any peer on the network can do this.

References

github.com/advisories/GHSA-cqfx-gf56-8x59
github.com/libp2p/rust-libp2p
github.com/libp2p/rust-libp2p/security/advisories/GHSA-cqfx-gf56-8x59
nvd.nist.gov/vuln/detail/CVE-2026-35405

Code Behaviors & Features

Detect and mitigate CVE-2026-35405 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →