CVE-2026-32314 Overview
CVE-2026-32314 is a denial of service vulnerability in the Rust implementation of Yamux, a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to version 0.13.10, the library can panic when processing a crafted inbound Data frame that sets the SYN flag and uses a body length greater than DEFAULT_CREDIT (e.g., 262145 bytes). This vulnerability allows remote attackers to crash Yamux-based applications without authentication.
Critical Impact
Remote, unauthenticated attackers can cause a denial of service condition by sending specially crafted network packets to any service using the vulnerable Yamux library, potentially disrupting peer-to-peer networking infrastructure and libp2p-based applications.
Affected Products
- Protocol Yamux versions prior to 0.13.10 (Rust implementation)
- Applications using the rust-yamux crate from libp2p
- Peer-to-peer networking services built on libp2p with Yamux transport
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-32314 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32314
Vulnerability Analysis
The vulnerability exists in the stream state management logic of the Rust Yamux implementation. When processing the first packet of a new inbound stream, the library creates stream state and queues a receiver before completing validation of the body size. This creates a race condition where temporary stream objects can be left in an inconsistent state.
The flaw is classified as CWE-248 (Uncaught Exception), indicating that the application fails to properly handle exceptional conditions. The vulnerability is remotely reachable over a normal Yamux session and critically does not require any form of authentication, making it particularly dangerous for public-facing services.
Root Cause
The root cause stems from improper ordering of validation logic during new stream initialization. When an inbound Data frame arrives with the SYN flag set (indicating a new stream), the following sequence occurs:
- Stream state is created for the new connection
- A receiver is queued for the stream
- Body size validation is then performed against DEFAULT_CREDIT
- If validation fails due to oversized body (>262144 bytes), the temporary stream is dropped
- During cleanup, the code calls remove(...).expect("stream not found")
- This expectation fails because the stream state is in an inconsistent state, triggering a panic
The fundamental issue is that stream registration occurs before validation completes, leaving cleanup code with incorrect assumptions about stream state.
Attack Vector
The attack can be executed remotely over the network without any authentication. An attacker needs only to establish a TCP connection to a service using the vulnerable Yamux library and send a maliciously crafted Data frame. The frame must have the SYN flag set to indicate a new stream and include a body length exceeding the DEFAULT_CREDIT value of 262144 bytes.
The attack payload is straightforward: a single crafted packet containing an oversized body declaration with the SYN flag is sufficient to trigger the panic and crash the target application. This makes the vulnerability particularly easy to exploit at scale against peer-to-peer networks.
Detection Methods for CVE-2026-32314
Indicators of Compromise
- Unexpected application crashes or service restarts in libp2p-based services
- Rust panic messages in logs containing stream not found or expect() failures in Yamux connection handling code
- Abnormal TCP connections sending unusually large frame declarations with SYN flags
Detection Strategies
- Monitor application logs for Rust panic traces originating from the yamux crate, particularly in stream cleanup or removal functions
- Implement network monitoring to detect anomalous Yamux protocol frames with body lengths exceeding 262144 bytes
- Deploy intrusion detection rules to flag Data frames with SYN flags and oversized body declarations
Monitoring Recommendations
- Configure crash monitoring and alerting for services using the rust-yamux library
- Implement rate limiting on new stream creation to reduce the impact of exploitation attempts
- Enable verbose logging for Yamux stream operations to capture exploitation attempts before they succeed
How to Mitigate CVE-2026-32314
Immediate Actions Required
- Upgrade the rust-yamux crate to version 0.13.10 or later immediately
- Review and update all applications and services that depend on the Yamux library
- Audit dependency trees to identify transitive dependencies on vulnerable yamux versions
- Consider temporarily restricting network access to affected services until patching is complete
Patch Information
The vulnerability has been fixed in version 0.13.10 of the rust-yamux library. The fix addresses the ordering of validation logic to ensure body size validation completes before stream state is registered, preventing the inconsistent state that leads to the panic.
For detailed patch information and the security advisory, refer to the GitHub Security Advisory GHSA-vxx9-2994-q338.
Workarounds
- Deploy network-level filtering to drop Yamux frames with body lengths exceeding 262144 bytes at the perimeter
- Implement application-level circuit breakers to restart crashed services automatically while patching is in progress
- Consider temporarily disabling Yamux transport in favor of alternative multiplexers if your application supports them
# Update rust-yamux in Cargo.toml
# Ensure minimum version 0.13.10
cargo update -p yamux --precise 0.13.10
# Verify the updated version
cargo tree -p yamux
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
