Fluid Attacks Database

Description

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	rust-yamux	=0.13.10+ds-1 \|\| =0.13.10+ds-2 \|\| =0.13.3-4 \|\| =0.13.7-1 \|\| =0.13.8-1 \|\| =0.13.9+ds-1	-
debian 14	rust-yamux	=0.13.3-4 \|\| =0.13.7-1 \|\| =0.13.8-1 \|\| =0.13.9+ds-1 \|\| >=0 <0.13.10+ds-1	0.13.10+ds-1
cargo	yamux	>=0 <0.13.10	0.13.10

Aliases

1. CVE-2026-323142. NVD-2026-323143. OSV-DEBIAN-2026-323144. OSV-2026-323145. GHSA-vxx9-2994-q3386. GCVE-2026-323147. SECURITY-TRACKER-CVE-2026-32314

References

1. https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.