CVE-2026-32941
Remote Out-of-Memory in Sliver C2 Server Causes Crash
Publication date: 2026-03-20
Last updated on: 2026-04-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bishopfox | sliver | to 1.7.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32941 is a remote Out-of-Memory (OOM) vulnerability in the Sliver command and control (C2) server's mTLS and WireGuard transport layers, affecting versions 1.7.3 and below."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the server functions socketReadEnvelope and socketWGReadEnvelope trust an attacker-controlled 4-byte length prefix to allocate memory buffers without sufficient validation.'}, {'type': 'paragraph', 'content': 'This length prefix can specify allocations of up to approximately 2 GiB per message, and with yamux multiplexing allowing up to 128 concurrent streams, an attacker can cause the server to allocate around 256 GiB of memory.'}, {'type': 'paragraph', 'content': "This excessive memory allocation triggers the operating system's OOM killer, crashing the Sliver server, disrupting all active implant sessions, and potentially degrading or killing other processes on the same host."}, {'type': 'paragraph', 'content': 'The vulnerability is due to three main issues: an excessively high maximum message size limit, allocation before cryptographic envelope verification, and amplification via yamux concurrent streams.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause a severe denial of service by forcing the Sliver server to allocate excessive amounts of memory, leading to an Out-of-Memory condition.
As a result, the Sliver server process crashes, disrupting all active implant sessions and potentially affecting other processes running on the same host.
This disruption can degrade the availability of the Sliver C2 infrastructure, impacting operations that rely on it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring the Sliver C2 server for abnormal memory allocation patterns and crashes caused by Out-of-Memory (OOM) conditions triggered by attacker-controlled length prefixes.'}, {'type': 'paragraph', 'content': 'Since the vulnerability exploits the handling of 4-byte length prefixes in the mTLS and WireGuard transport layers, detection can focus on observing unusually large memory allocations or repeated OOM kills of the Sliver server process.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': "Use system monitoring tools like 'top', 'htop', or 'free -m' to watch for sudden spikes in memory usage by the Sliver server process."}, {'type': 'list_item', 'content': "Check system logs (e.g., 'dmesg' or '/var/log/syslog') for OOM killer events targeting the Sliver server."}, {'type': 'list_item', 'content': "Use network monitoring tools such as 'tcpdump' or 'wireshark' to capture and analyze mTLS or WireGuard traffic for abnormal or large length prefixes in the C2 envelope framing protocol."}, {'type': 'list_item', 'content': 'Monitor yamux multiplexing streams for an unusually high number of concurrent streams (up to 128 per connection) which may indicate exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include limiting the exposure of the Sliver C2 server to untrusted or potentially compromised implants or users with valid credentials, as exploitation requires a valid mTLS connection.
Since no patched versions are available at the time of publication, consider the following actions:
- Restrict network access to the Sliver server to trusted hosts only, using firewall rules or network segmentation.
- Monitor and limit the number of concurrent yamux streams per connection if possible, to reduce amplification potential.
- Implement resource usage monitoring and automatic restart policies for the Sliver server to quickly recover from crashes.
- Consider running the Sliver server in a container or isolated environment to limit impact on other host processes.