CVE-2026-34062 MEDIUM

CVE-2026-34062: Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response

Vendor Nimiq
Product network-libp2p
Weakness CWE-770 · Uncontrolled resource consumption
Published April 22, 2026
Last update April 23, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 23, 2026 Record updated