Stream Multiplexer Vulnerability in Rust Implementation of Yamux
CVE-2026-32314

8.7HIGH

Key Information:

Vendor: Libp2p
Status: Rust-yamux
Vendor: CVE Published:; 13 March 2026

What is CVE-2026-32314?

The Rust implementation of Yamux, a stream multiplexer over reliable and ordered connections such as TCP/IP, contains a vulnerability that allows an attacker to exploit crafted inbound Data frames. This can occur in versions prior to 0.13.10, where a panic may be triggered when the incoming Data frame sets SYN and exceeds the body length limit defined as DEFAULT_CREDIT (e.g. 262145). During the initialization of a new inbound stream, the state is established before proper validation of the body length occurs. This flaw can lead to a panic in the connection state machine when cleanup attempts to remove a stream that doesn't exist, creating a potentially exploitable condition. The issue is reachable remotely and does not necessitate authentication. The vulnerability has been addressed in version 0.13.10.

Affected Version(s)

rust-yamux < 0.13.10

References

https://github.com/libp2p/rust-yamux/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32314 Data

JSON

Libp2p

What is CVE-2026-32314?

Affected Version(s)

References

CVSS V4

Timeline