GHSA-4W32-2493-32G7

Vulnerability from github – Published: 2026-03-13 18:57 – Updated: 2026-03-16 17:06
VLAI?
Summary
Yamux vulnerable to remote Panic via malformed WindowUpdate credit
Details

Sumary

The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state.
A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.

Attack Scenario

An attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames: 1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (DEFAULT_CREDIT). 2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.

Impact

Remote unauthenticated denial of service.
An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.

Patches

Users should upgrade to yamux v0.13.9

This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "yamux"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.0"
            },
            {
              "fixed": "0.13.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-13T18:57:19Z",
    "nvd_published_at": "2026-03-13T19:54:36Z",
    "severity": "HIGH"
  },
  "details": "### Sumary\nThe Rust implementation of Yamux accepts `WindowUpdate` credit values from the remote peer and applies them to per-stream send-window state.  \nA specially crafted `WindowUpdate` can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.\n#### Attack Scenario  \nAn attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:\n1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (`DEFAULT_CREDIT`).\n2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.\n### Impact\nRemote unauthenticated denial of service.  \nAn attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.\n### Patches\nUsers should upgrade to `yamux` `v0.13.9`\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
  "id": "GHSA-4w32-2493-32g7",
  "modified": "2026-03-16T17:06:20Z",
  "published": "2026-03-13T18:57:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31814"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-yamux/pull/221"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db53"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/libp2p/rust-yamux"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libp2p/rust-yamux/releases/tag/yamux-v0.13.9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Yamux vulnerable to remote Panic via malformed WindowUpdate credit"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.