Yamux remote Panic via malformed Data frame with SYN set and len = 262145
Description
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted inbound Data frame with SYN flag and oversized body triggers a panic in Rust Yamux, enabling remote denial-of-service without authentication.
Vulnerability
Overview
The Rust implementation of the Yamux stream multiplexer, used in protocols like libp2p, contains a logic flaw in its stream state management [1][2]. When an inbound Data frame with the SYN flag set SYN flag and a body length greater than DEFAULT_CREDIT (e.g., 262145 bytes) is processed, the code creates a new stream state and queues a receiver before validating the oversized body. If validation then fails, the temporary stream is dropped, and cleanup triggers a call to remove(...).expect("stream not found"), resulting in a panic in the connection state machine [3].
Attack
Vector and Prerequisites
An attacker who can establish a Yamux session with a target node—over a reliable, ordered transport such as TCP/IP—can crash the target by sending a single crafted frame [3]. The attack requires no authentication; it only needs a standard Yamux session to be negotiated. The malicious frame is a validly encoded Data|SYN frame with a body length equal to DEFAULT_CREDIT + 1 (e.g., 262145), sent on a new inbound stream ID [3.
Impact
Successful exploitation terminates the process on the vulnerable system, depending on the host application's panic policy. This constitutes a remote denial-of-service (DoS) vulnerability that can disrupt services relying on the affected Yamux implementation [1].
Mitigation
The vulnerability is fixed in version 0.13.10 of the Rust Yamux library [1][3]. Users are advised to upgrade immediately. No workarounds are documented; the fix ensures stream cleanup does not panic on validation failure [3].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
yamuxcrates.io | < 0.13.10 | 0.13.10 |
Affected products
2- libp2p/rust-yamuxv5Range: < 0.13.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-vxx9-2994-q338ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32314ghsaADVISORY
- github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.