Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
Published: 2026-03-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Memory induced service disruption
Action: Patch
AI Analysis

Impact

An attacker who can authenticate to a Sliver C2 server or has taken control of an implant can send specially crafted 4‑byte length prefixes over the mTLS or WireGuard transport. The socketReadEnvelope and socketWGReadEnvelope functions use these prefixes to allocate a buffer, and because ServerMaxMessageSize is configured to allow allocations near 2 GiB, a single malicious prefix can cause the server to request several hundred gigabytes of memory. The resulting out‑of‑memory condition triggers the operating system to kill the Sliver process, taking down all active implant sessions and potentially affecting other services running on the same host. This weakness matches CWE‑770 and CWE‑789, which describe uncontrolled allocation and missing bounds checking.

Affected Systems

BishopFox Sliver, versions 1.7.3 and earlier.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild and the vulnerability is not listed in CISA’s KEV catalog. Successful exploitation requires legitimate credentials or a compromised implant; an attacker then needs to transmit up to 128 concurrent Yamux streams with fabricated length prefixes to reach the allocation limit. When triggered, the exploit causes a denial‑of‑service that disrupts the C2 server and may cause collateral damage to other processes on the host. Due to the authentication requirement, the risk is moderate for environments running unpatched Sliver, but a compromised implant elevates the threat level for any organization relying on those implants.

Generated by OpenCVE AI on March 24, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sliver to a version newer than 1.7.3 as soon as a patch is released.
  • If an upgrade is not immediately possible, limit ServerMaxMessageSize and the maximum number of concurrent Yamux streams to reduce the potential allocation size.
  • Continuously monitor the C2 server’s memory usage and enforce automatic restart or containment policies when abnormal usage is detected.
  • Revoke credentials for any compromised implants and regenerate new credentials for all active implants.
  • Consider disabling the mTLS/WireGuard transport temporarily until the vulnerability is addressed, if such a change is operationally acceptable.

Generated by OpenCVE AI on March 24, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-97vp-pwqj-46qc Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports
History

Tue, 24 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Bishopfox
Bishopfox sliver
Vendors & Products Bishopfox
Bishopfox sliver

Fri, 20 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
Title Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports
Weaknesses CWE-770
CWE-789
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Bishopfox Sliver
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T02:53:38.174Z

Reserved: 2026-03-17T00:05:53.283Z

Link: CVE-2026-32941

cve-icon Vulnrichment

Updated: 2026-03-21T02:53:33.795Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T04:16:49.560

Modified: 2026-03-24T12:08:22.717

Link: CVE-2026-32941

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:27Z

Weaknesses