Fluid Attacks Database

Description

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	rust-yamux	=0.13.3-4 \|\| =0.13.7-1 \|\| =0.13.8-1 \|\| >=0 <0.13.9+ds-1	0.13.9+ds-1
debian 13	rust-yamux	=0.13.10+ds-1 \|\| =0.13.10+ds-2 \|\| =0.13.3-4 \|\| =0.13.7-1 \|\| =0.13.8-1 \|\| =0.13.9+ds-1	-
cargo	yamux	>=0.13.0 <0.13.9	0.13.9

Aliases

1. CVE-2026-318142. NVD-2026-318143. OSV-DEBIAN-2026-318144. OSV-2026-318145. GHSA-4w32-2493-32g76. GCVE-2026-318147. SECURITY-TRACKER-CVE-2026-31814

References

1. https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g72. https://github.com/libp2p/rust-yamux/pull/2213. https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db534. https://github.com/libp2p/rust-yamux/releases/tag/yamux-v0.13.9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.