Cyber Resilience

CVE-2026-32314

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32314 is a high-severity Uncaught Exception (CWE-248) vulnerability in Protocol Yamux. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-32314 is a denial-of-service vulnerability in the Rust implementation of Yamux, a stream multiplexer over reliable, ordered connections such as TCP/IP. The issue affects versions prior to 0.13.10 and stems from a panic triggered when processing a crafted inbound Data frame that sets the SYN flag and specifies a body length greater than the DEFAULT_CREDIT value (e.g., 262145). On the first packet of a new inbound stream, the stream state is created and a receiver is queued before oversized-body validation completes; when validation fails, dropping the temporary stream leads to a cleanup call that invokes remove(...).expect("stream not found"), causing a panic in the connection state machine.

Any remote attacker can exploit this vulnerability over a normal Yamux session without authentication by sending the malicious frame, resulting in a crash of the affected Yamux connection. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low attack complexity, lack of privileges or user interaction requirements, and high impact on availability due to the unhandled exception (CWE-248).

The vulnerability is fixed in Yamux version 0.13.10, as detailed in the GitHub Security Advisory at https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338. Security practitioners should upgrade to the patched version to mitigate the risk of remote denial-of-service attacks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT…

more

(e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crash via crafted Yamux Data frame with oversized body directly enables application exploitation resulting in endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31814Same product: Protocol Yamux
CVE-2026-33040Same vendor: Protocol
CVE-2026-35405Same vendor: Protocol
CVE-2026-35457Same vendor: Protocol
CVE-2026-31870Shared CWE-248
CVE-2025-20176Shared CWE-248
CVE-2026-32770Shared CWE-248
CVE-2026-34943Shared CWE-248
CVE-2026-44001Shared CWE-248
CVE-2026-43988Shared CWE-248

Affected Assets

protocol
yamux
≤ 0.13.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the known flaw by upgrading to Yamux version 0.13.10 directly eliminates the panic vulnerability in stream handling.

prevent

Validating inbound Yamux Data frames for SYN flag and body length exceeding DEFAULT_CREDIT before stream state creation prevents the oversized frame from triggering the vulnerability.

prevent

Secure error handling during temporary stream cleanup after validation failure prevents the expect('stream not found') panic in the connection state machine.

References