CVE-2026-32314
Published: 16 March 2026
Summary
CVE-2026-32314 is a high-severity Uncaught Exception (CWE-248) vulnerability in Protocol Yamux. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-32314 is a denial-of-service vulnerability in the Rust implementation of Yamux, a stream multiplexer over reliable, ordered connections such as TCP/IP. The issue affects versions prior to 0.13.10 and stems from a panic triggered when processing a crafted inbound Data frame that sets the SYN flag and specifies a body length greater than the DEFAULT_CREDIT value (e.g., 262145). On the first packet of a new inbound stream, the stream state is created and a receiver is queued before oversized-body validation completes; when validation fails, dropping the temporary stream leads to a cleanup call that invokes remove(...).expect("stream not found"), causing a panic in the connection state machine.
Any remote attacker can exploit this vulnerability over a normal Yamux session without authentication by sending the malicious frame, resulting in a crash of the affected Yamux connection. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects its network accessibility, low attack complexity, lack of privileges or user interaction requirements, and high impact on availability due to the unhandled exception (CWE-248).
The vulnerability is fixed in Yamux version 0.13.10, as detailed in the GitHub Security Advisory at https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338. Security practitioners should upgrade to the patched version to mitigate the risk of remote denial-of-service attacks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12095
Vulnerability details
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT…
more
(e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crash via crafted Yamux Data frame with oversized body directly enables application exploitation resulting in endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the known flaw by upgrading to Yamux version 0.13.10 directly eliminates the panic vulnerability in stream handling.
Validating inbound Yamux Data frames for SYN flag and body length exceeding DEFAULT_CREDIT before stream state creation prevents the oversized frame from triggering the vulnerability.
Secure error handling during temporary stream cleanup after validation failure prevents the expect('stream not found') panic in the connection state machine.