216.73.217.22

CVE-2026-32314

· Published 16/03/2026 14:19 · Modified 16/03/2026 14:53

Labels: CVE-2026-32314 2026-03-16CVE-2026-32314CWE-248[email protected]

Essential information

Published
16/03/2026 14:19
Modified
16/03/2026 14:53
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

NVD status

Status
Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
yamux / yamux cpe:2.3:a:yamux:yamux:<0.13.10:*:*:*:*:*:*:*

References