Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Yamux Remote Crash via Malformed Window Update
GHSA-4w32-2493-32g7
CVE-2026-31814
GHSA-4w32-2493-32g7
Summary
A specific type of packet can cause Yamux to crash, leading to a denial of service. Affected users should update to version 0.13.9 of Yamux to fix the issue. This vulnerability can be exploited by anyone with network access to a Yamux session, without needing a password or other authentication.
What to do
- Update yamux to version 0.13.9.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | yamux | > 0.13.0 , <= 0.13.9 | 0.13.9 |
Original title
Yamux vulnerable to remote Panic via malformed WindowUpdate credit
Original description
### Sumary
The Rust implementation of Yamux accepts `WindowUpdate` credit values from the remote peer and applies them to per-stream send-window state.
A specially crafted `WindowUpdate` can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.
#### Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:
1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (`DEFAULT_CREDIT`).
2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.
### Impact
Remote unauthenticated denial of service.
An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.
### Patches
Users should upgrade to `yamux` `v0.13.9`
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
The Rust implementation of Yamux accepts `WindowUpdate` credit values from the remote peer and applies them to per-stream send-window state.
A specially crafted `WindowUpdate` can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.
#### Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:
1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (`DEFAULT_CREDIT`).
2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.
### Impact
Remote unauthenticated denial of service.
An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.
### Patches
Users should upgrade to `yamux` `v0.13.9`
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
ghsa CVSS4.0
8.7
Vulnerability type
CWE-190
Integer Overflow
- https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7
- https://github.com/libp2p/rust-yamux/pull/221
- https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174...
- https://github.com/libp2p/rust-yamux/releases/tag/yamux-v0.13.9
- https://github.com/advisories/GHSA-4w32-2493-32g7
- https://github.com/libp2p/rust-yamux Product
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026