CVE-2026-31814
Published: 13 March 2026
Summary
CVE-2026-31814 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Protocol Yamux. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31814 affects Yamux, a stream multiplexer over reliable, ordered connections such as TCP/IP, specifically in the rust-yamux implementation from versions 0.13.0 up to but not including 0.13.9. The vulnerability stems from an arithmetic overflow (CWE-190) in send-window accounting, triggered by a specially crafted WindowUpdate frame. This causes a panic in the connection state machine, rated at CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any remote attacker can exploit this over a normal network connection without authentication by sending the crafted WindowUpdate frame. Successful exploitation results in a denial-of-service condition, crashing the affected Yamux connection and potentially disrupting services relying on it for stream multiplexing.
The vulnerability is fixed in Yamux version 0.13.9. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12083
Vulnerability details
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely…
more
reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of an arithmetic overflow in the Yamux stream multiplexer via a crafted WindowUpdate frame, directly causing a panic/crash and denial-of-service. This matches T1499.004 (Application or System Exploitation) under the Endpoint Denial of Service technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of identified flaws, such as patching Yamux to version 0.13.9 or later to eliminate the arithmetic overflow vulnerability.
Implements protections against denial-of-service attacks, including measures to mitigate remotely triggered crashes from crafted WindowUpdate frames in Yamux.
Enforces validation of incoming network inputs like WindowUpdate frames to detect and reject those causing arithmetic overflows in send-window accounting.