CVE-2026-35457: libp2p-rendezvous: Unbounded rendezvous DISCOVER cookies enable remote memory exhaustion

April 4, 2026 (updated April 7, 2026)

The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth.

References

github.com/advisories/GHSA-v5hw-cv9c-rpg7
github.com/libp2p/rust-libp2p
github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7
nvd.nist.gov/vuln/detail/CVE-2026-35457

Code Behaviors & Features

Detect and mitigate CVE-2026-35457 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →