CVE-2026-31814
Arithmetic Overflow in Yamux WindowUpdate Causes Remote Panic
Publication date: 2026-03-13
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| protocol | yamux | From 0.13.0 (inc) to 0.13.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31814 is a high-severity vulnerability in the Rust implementation of Yamux, a stream multiplexer protocol. The issue occurs because Yamux improperly handles WindowUpdate frames that increase the send-window credit for a stream. An attacker can send a specially crafted WindowUpdate frame with a very large credit value, causing an arithmetic overflow in the send-window accounting. This overflow triggers a panic in the connection state machine, crashing the target node.
The attack can be performed remotely without authentication by establishing a Yamux session and sending the crafted frames. This vulnerability affects Yamux versions from 0.13.0 up to but not including 0.13.9, where it has been fixed.
How can this vulnerability impact me? :
This vulnerability impacts the availability of systems using vulnerable versions of Yamux. An attacker can remotely cause the target node to crash by triggering a panic in the connection state machine through an arithmetic overflow. This results in a denial-of-service (DoS) condition, potentially disrupting services that rely on Yamux for multiplexing network streams.
There is no impact on confidentiality or integrity, but the repeated crashing can cause service interruptions and degrade system reliability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or panics in the Yamux connection state machine caused by arithmetic overflow in send-window accounting.
Specifically, detection involves identifying unusual or repeated connection panics triggered by receiving WindowUpdate frames with excessively large credit values.
Since the attack involves sending a WindowUpdate frame with a large credit value (e.g., 0xFFFF_0000), network traffic inspection tools can be used to detect such frames.
Commands to detect this might include using packet capture tools like tcpdump or Wireshark to filter for Yamux WindowUpdate frames with large credit values.
- tcpdump -i <interface> -w yamux_capture.pcap port <yamux_port>
- Use Wireshark to open yamux_capture.pcap and filter for WindowUpdate frames with unusually large credit values.
Additionally, monitoring application logs for panics or crashes related to Yamux connections can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Yamux to version 0.13.9 or later, where this vulnerability is fixed.
Since the vulnerability is remotely exploitable without authentication, patching is critical to prevent denial-of-service attacks.
If upgrading immediately is not possible, consider implementing network-level protections such as filtering or rate-limiting suspicious WindowUpdate frames with large credit values.
Monitoring and alerting on repeated connection panics or crashes related to Yamux can also help in early detection and response.