CVE-2026-34062: CWE-770: Allocation of Resources Without Limits or Throttling in nimiq network-libp2p
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
AI Analysis
Technical Summary
The vulnerability in nimiq-libp2p versions before 1.3.0 arises because the MessageCodec::read_request and read_response methods call read_to_end() on inbound substreams, allowing a remote peer to send only partial frames and keep the substream open indefinitely. Additionally, the Behaviour::new configuration sets with_max_concurrent_streams to 1000, which is significantly higher than the library default, increasing the number of stalled substreams that can be maintained simultaneously. This results in allocation of resources without limits or throttling (CWE-770), potentially leading to denial of service by exhausting available substream slots. The issue is addressed in version 1.3.0 of the library. There are no known workarounds.
Potential Impact
The vulnerability allows a remote attacker to keep inbound substreams open by sending partial frames, which can exhaust the node's resources allocated for handling concurrent streams. This can cause denial of service conditions by stalling legitimate network activity. The CVSS score of 5.3 reflects a medium severity impact with no confidentiality or integrity loss but availability impact due to resource exhaustion.
Mitigation Recommendations
A patch fixing this vulnerability is available in nimiq network-libp2p version 1.3.0. Users should upgrade to version 1.3.0 or later to remediate this issue. No known workarounds exist, so upgrading is the recommended and necessary action.
CVE-2026-34062: CWE-770: Allocation of Resources Without Limits or Throttling in nimiq network-libp2p
Description
nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nimiq-libp2p versions before 1.3.0 arises because the MessageCodec::read_request and read_response methods call read_to_end() on inbound substreams, allowing a remote peer to send only partial frames and keep the substream open indefinitely. Additionally, the Behaviour::new configuration sets with_max_concurrent_streams to 1000, which is significantly higher than the library default, increasing the number of stalled substreams that can be maintained simultaneously. This results in allocation of resources without limits or throttling (CWE-770), potentially leading to denial of service by exhausting available substream slots. The issue is addressed in version 1.3.0 of the library. There are no known workarounds.
Potential Impact
The vulnerability allows a remote attacker to keep inbound substreams open by sending partial frames, which can exhaust the node's resources allocated for handling concurrent streams. This can cause denial of service conditions by stalling legitimate network activity. The CVSS score of 5.3 reflects a medium severity impact with no confidentiality or integrity loss but availability impact due to resource exhaustion.
Mitigation Recommendations
A patch fixing this vulnerability is available in nimiq network-libp2p version 1.3.0. Users should upgrade to version 1.3.0 or later to remediate this issue. No known workarounds exist, so upgrading is the recommended and necessary action.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.866Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9290319fe3cd2cde95594
Added to database: 4/22/2026, 8:01:07 PM
Last enriched: 4/22/2026, 8:16:39 PM
Last updated: 4/23/2026, 3:08:32 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.