Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32314 is a vulnerability in the Rust implementation of Yamux, a stream multiplexer used in libp2p. The issue occurs when processing a specially crafted inbound Data frame that has the SYN flag set and a body length larger than the predefined limit DEFAULT_CREDIT (for example, 262,145 bytes). When the first packet of a new inbound stream is received, Yamux creates stream state and queues a receiver before checking if the body length is too large. If the validation fails, the temporary stream is dropped, but during cleanup, a call to remove(...).expect("stream not found") triggers a panic in the connection state machine, causing the process to crash.'}, {'type': 'paragraph', 'content': 'This vulnerability is remotely exploitable over a normal Yamux session without requiring authentication or user interaction.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is a loss of availability. An attacker who can establish a Yamux session can send a single specially crafted Data|SYN frame with an oversized body to cause the target process to panic and potentially terminate. This can disrupt services relying on Yamux by causing unexpected crashes.

There is no impact on confidentiality or integrity from this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or panics in applications using the Rust implementation of Yamux version prior to 0.13.10. Specifically, look for process termination or panic logs triggered by malformed inbound Data frames with the SYN flag set and an unusually large body length (greater than DEFAULT_CREDIT, e.g., 262,145 bytes).'}, {'type': 'paragraph', 'content': 'Network detection can involve capturing and analyzing Yamux traffic to identify inbound Data frames with the SYN flag set and body lengths exceeding the expected DEFAULT_CREDIT threshold.'}, {'type': 'paragraph', 'content': 'Suggested commands include using packet capture tools like tcpdump or Wireshark with filters to detect Yamux Data frames with large payloads and SYN flags. For example:'}, {'type': 'list_item', 'content': 'tcpdump -i <interface> -w yamux_capture.pcap'}, {'type': 'list_item', 'content': 'Use Wireshark to open yamux_capture.pcap and filter for Yamux Data frames with SYN flag set and body length > 262144 bytes.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for panic messages related to "stream not found" during Yamux stream cleanup can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the Rust implementation of Yamux to version 0.13.10 or later, where this vulnerability is fixed.

Until the upgrade can be applied, consider implementing network-level protections such as filtering or blocking inbound Yamux Data frames with the SYN flag set and body lengths exceeding the DEFAULT_CREDIT threshold (e.g., > 262,144 bytes) to prevent exploitation.

Also, monitor application logs for panic events related to Yamux streams and restart affected services promptly to maintain availability.

Useful 0 Not Useful 0