CVE-2026-32941
Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/bishopfox/sliverGo | <= 1.7.3 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qcnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-97vp-pwqj-46qcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32941ghsaADVISORY
- gist.github.com/skoveit/08f3ec08ffbf3deeff189a83ef827dcfghsaWEB
News mentions
10- CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access ExploitsThe Hacker News · May 15, 2026
- Frequently asked questions about the continued exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182)Tenable Blog · May 15, 2026
- Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilitiesCisco Talos Intelligence · May 14, 2026
- ‘PCPJack’ Worm Removes TeamPCP Infections, Steals CredentialsSecurityWeek · May 8, 2026
- New PCPJack worm steals credentials, cleans TeamPCP infectionsBleepingComputer · May 7, 2026
- PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud SystemsThe Hacker News · May 7, 2026
- UAT-8302 and its box full of malwareCisco Talos Intelligence · May 5, 2026
- 2026: The Year of AI-Assisted AttacksThe Hacker News · May 4, 2026
- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026
- PhantomCore Exploits TrueConf Vulnerabilities to Breach Russian NetworksThe Hacker News · Apr 27, 2026