Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Yamux can be crashed by a malicious data frame
GHSA-vxx9-2994-q338
CVE-2026-32314
Summary
A malicious user can crash the Yamux software by sending a specially crafted data frame through a Yamux session. This can happen if the user has a Yamux session with another party. To fix this, update to version 0.13.10 of Yamux. This issue was found by a researcher who reported it as part of the Ethereum Foundation's bug bounty program.
What to do
- Update yamux to version 0.13.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | yamux | <= 0.13.10 | 0.13.10 |
Original title
Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145
Original description
### Summary
The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145).
On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine.
This is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is
#### Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body:
1. Establish a standard authenticated transport session that negotiates Yamux.
2. Send one Yamux frame with:
- Tag = Data
- Flags = SYN
- StreamId = 1 (or any new inbound stream id)
- Length = DEFAULT_CREDIT + 1 (e.g. 262145)
- Body of matching size
This can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.
### Patches
Users should upgrade to `yamux` `v0.13.10`
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145).
On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine.
This is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is
#### Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending a single validly encoded Yamux Data|SYN frame with an oversized body:
1. Establish a standard authenticated transport session that negotiates Yamux.
2. Send one Yamux frame with:
- Tag = Data
- Flags = SYN
- StreamId = 1 (or any new inbound stream id)
- Length = DEFAULT_CREDIT + 1 (e.g. 262145)
- Body of matching size
This can trigger a panic (stream not found) and terminate the process, depending on host application panic policy.
### Patches
Users should upgrade to `yamux` `v0.13.10`
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
ghsa CVSS4.0
8.7
Vulnerability type
CWE-617
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026