{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35457", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.193Z", "datePublished": "2026-04-07T14:22:19.941Z", "dateUpdated": "2026-04-07T17:53:37.355Z"}, "containers": {"cna": {"title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"}], "affected": [{"vendor": "libp2p", "product": "rust-libp2p", "versions": [{"version": "< 0.17.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:22:19.941Z"}, "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."}], "source": {"advisory": "GHSA-v5hw-cv9c-rpg7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T17:53:22.542830Z", "id": "CVE-2026-35457", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:53:37.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35457", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T17:53:22.542830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:53:25.830Z"}}], "cna": {"title": "libp2p-rust has unbounded rendezvous DISCOVER cookies enable remote memory exhaustion", "source": {"advisory": "GHSA-v5hw-cv9c-rpg7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "libp2p", "product": "rust-libp2p", "versions": [{"status": "affected", "version": "< 0.17.1"}]}], "references": [{"url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7", "name": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T14:22:19.941Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35457", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:53:37.355Z", "dateReserved": "2026-04-02T19:25:52.193Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T14:22:19.941Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, the rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue DISCOVER requests and force unbounded memory growth. This vulnerability is fixed in 0.17.1."}], "id": "CVE-2026-35457", "lastModified": "2026-04-07T15:17:43.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T15:17:43.587", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-v5hw-cv9c-rpg7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{}