Infinite Queue of Pending Frames in Yamux: A Memory-Based Attack
CVE-2024-32984

7.5HIGH

Key Information:

Vendor

Libp2p

Status
Rust-yamux
Vendor
CVE Published:
1 May 2024

What is CVE-2024-32984?

The Yamux stream multiplexer, implemented in Rust, is vulnerable to a remote memory exhaustion issue that can significantly impact node performance. This vulnerability arises from an unbounded vector used for storing pending frames. When new frames are required to be sent, they are appended to this vector; however, if a malicious actor exploits this vulnerability by manipulating TCP's receive window, they can prevent the victim node from sending out any data. As a result, the vector of pending frames can grow uncontrollably, consuming all available memory resources on the victim's system. Ultimately, this could lead to the termination of the affected process by the operating system, creating a denial-of-service condition. Urgent attention and patching are recommended to mitigate potential exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

rust-yamux < 0.13.2

References

https://github.com/libp2p/rust-yamux/security/advisories/...
x_refsource_CONFIRM
https://github.com/sigp/rust-yamux/commit/6689e227a48258a...
x_refsource_MISC
https://github.com/libp2p/rust-yamux/blob/yamux-v0.13.1/y...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.