Description
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
Published: 2026-03-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Yamux, a stream multiplexer built over TCP/IP, has a flaw in sending window accounting that can be triggered by a specially crafted WindowUpdate packet. The arithmetic overflow causes a panic in the connection state machine, resulting in a crash of the affected process. This vulnerability is exploitable remotely via a normal network connection and does not require authentication, leading to a denial of service for any application using the vulnerable library.

Affected Systems

The vulnerability affects the libp2p:rust-yamux package versions ranging from 0.13.0 up to but not including 0.13.9. The specific CPE identifier is cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:*.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high severity issue. The EPSS score of less than 1% indicates a low overall probability of exploitation, and the vendor has not listed it in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only the ability to send a maliciously crafted WindowUpdate over a network connection to the target. Successful exploitation results in a program crash, causing denial of service for the affected process and potentially impacting connected peers. The vulnerability is exploitable without credentials and can be delivered over any active TCP/IP session that uses Yamux.

Generated by OpenCVE AI on March 19, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libp2p:rust-yamux to version 0.13.9 or later; this release fixes the arithmetic overflow in WindowUpdate handling.
  • If an immediate upgrade is not feasible, isolate the affected services behind a firewall or network filter that rejects or drops malformed WindowUpdate packets, and monitor for suspicious traffic patterns.

Generated by OpenCVE AI on March 19, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4w32-2493-32g7 Yamux vulnerable to remote Panic via malformed WindowUpdate credit
History

Thu, 19 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Protocol
Protocol yamux
CPEs cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:*
Vendors & Products Protocol
Protocol yamux
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p rust-yamux
Vendors & Products Libp2p
Libp2p rust-yamux

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
Title Yamux remote Panic via malformed WindowUpdate credit
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libp2p Rust-yamux
Protocol Yamux
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T19:38:02.290Z

Reserved: 2026-03-09T16:33:42.914Z

Link: CVE-2026-31814

cve-icon Vulnrichment

Updated: 2026-03-13T19:37:58.086Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:36.470

Modified: 2026-03-19T13:51:44.067

Link: CVE-2026-31814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:14Z

Weaknesses