High severityNVD Advisory· Published Mar 13, 2026· Updated Mar 13, 2026
Yamux remote Panic via malformed WindowUpdate credit
CVE-2026-31814
Description
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yamuxcrates.io | >= 0.13.0, < 0.13.9 | 0.13.9 |
Affected products
2- Range: >= 0.13.0, < 0.13.9
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4w32-2493-32g7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31814ghsaADVISORY
- github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db53ghsaWEB
- github.com/libp2p/rust-yamux/pull/221ghsaWEB
- github.com/libp2p/rust-yamux/releases/tag/yamux-v0.13.9ghsaWEB
- github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.