Description
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
Published: 2026-03-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Yamux is a stream multiplexer used over reliable, ordered connections such as TCP/IP. The Rust implementation before version 0.13.10 contains a flaw that can cause a panic when processing a crafted inbound Data frame that sets the SYN flag and specifies a body length greater than the maximum credit limit (262,145 bytes). This occurs during the creation of a new stream: the stream state is instantiated and a receiver is queued before oversized‑body validation completes. If validation fails, the temporary stream is dropped and cleanup attempts to remove a non‑existent stream, triggering an unrecoverable panic in the connection state machine. The result is a crash of the process that hosts the Yamux connection, leading to a denial‑of‑service condition (CWE‑248). Key detail from vendor advisory: the flaw is due to improper handling of buffer size.

Affected Systems

Affected vendor: libp2p:rust‑yamux. All releases prior to 0.13.10 are impacted regardless of configuration. The issue is specific to the Rust implementation; other language bindings are not affected. Key detail from vendor advisory: affected products and versions.

Risk and Exploitability

The CVSS score is 8.7 indicating high severity; the EPSS score is below 1%, suggesting current exploitation likelihood is low, and the vulnerability is not listed in the CISA KEV catalog. Attack is remotely reachable over a normal Yamux session and does not require authentication. An adversary can send a malicious Data frame to a running Yamux service, causing a process crash and potential denial of service. Key detail from vendor advisory: exposure is remote, no authentication required.

Generated by OpenCVE AI on March 19, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch: upgrade libp2p rust‑yamux to version 0.13.10 or newer (key detail from vendor advisory: upgrade recommended).
  • Verify that the library version is at least 0.13.10 and restart the service to ensure the patch is active (key detail from vendor advisory: restart may be required).
  • Monitor application logs for unexpected crashes and verify that the service remains operational (key detail from vendor advisory: ongoing monitoring is recommended).

Generated by OpenCVE AI on March 19, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vxx9-2994-q338 Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145
History

Thu, 19 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Protocol
Protocol yamux
CPEs cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:*
Vendors & Products Protocol
Protocol yamux
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Libp2p
Libp2p rust-yamux
Vendors & Products Libp2p
Libp2p rust-yamux

Fri, 13 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
Title Yamux remote Panic via malformed Data frame with SYN set and len = 262145
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Libp2p Rust-yamux
Protocol Yamux
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T13:48:29.665Z

Reserved: 2026-03-11T21:16:21.660Z

Link: CVE-2026-32314

cve-icon Vulnrichment

Updated: 2026-03-16T13:48:04.294Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:34.030

Modified: 2026-03-19T14:30:43.087

Link: CVE-2026-32314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:40:05Z

Weaknesses