CVE-2026-32314: CWE-248: Uncaught Exception in libp2p rust-yamux
CVE-2026-32314 is a high-severity vulnerability in the Rust implementation of Yamux, a stream multiplexer used in libp2p. The flaw allows a remote attacker to cause a panic (crash) in the connection state machine by sending a specially crafted inbound Data frame with SYN set and a body length exceeding the default credit limit. This triggers an uncaught exception due to improper cleanup of temporary stream state, leading to denial of service. Exploitation requires no authentication or user interaction and is achievable over a normal Yamux session. The issue affects versions prior to 0. 13. 10 and has been fixed in that release. No known exploits are currently reported in the wild. Organizations using libp2p with rust-yamux should update immediately to mitigate potential service disruptions.
AI Analysis
Technical Summary
Yamux is a stream multiplexer protocol that manages multiple logical streams over a single reliable, ordered connection such as TCP/IP. The Rust implementation of Yamux, rust-yamux, prior to version 0.13.10, contains a vulnerability (CVE-2026-32314) classified under CWE-248 (Uncaught Exception). The vulnerability arises when processing an inbound Data frame that is crafted with the SYN flag set and a body length greater than the DEFAULT_CREDIT threshold (e.g., 262,145 bytes). Upon receiving the first packet of a new inbound stream, rust-yamux creates stream state and queues a receiver before validating the oversized body length. If the validation fails, the temporary stream is dropped, and during cleanup, a call to remove(...).expect("stream not found") is made. Because the stream has already been dropped, this call triggers a panic in the connection state machine, causing the entire Yamux connection to crash. This panic is remotely reachable without any authentication or user interaction, making it a critical denial-of-service vector. The vulnerability affects all rust-yamux versions before 0.13.10 and has been addressed in that version. The CVSS 4.0 base score is 8.7, reflecting high severity due to remote exploitability, no required privileges, and a significant impact on availability. No known exploits have been reported in the wild as of the publication date.
Potential Impact
The primary impact of CVE-2026-32314 is a denial-of-service condition where an attacker can remotely crash the Yamux connection state machine, disrupting communication channels that rely on rust-yamux for multiplexing streams. This can lead to service outages, degraded performance, and potential cascading failures in distributed systems or peer-to-peer networks that use libp2p with rust-yamux. Since no authentication or user interaction is required, attackers can exploit this vulnerability at scale, potentially targeting critical infrastructure, blockchain nodes, decentralized applications, or any service relying on libp2p for network communication. The disruption of stream multiplexing can affect data integrity indirectly by interrupting data flows and may also impact availability of services dependent on stable connections. Organizations with deployments using vulnerable versions risk operational instability and potential loss of trust from users or clients.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade rust-yamux to version 0.13.10 or later, where the issue is fixed. In environments where immediate upgrade is not feasible, network-level filtering can be implemented to detect and block inbound Data frames with suspiciously large body lengths exceeding DEFAULT_CREDIT thresholds, although this is a less reliable workaround. Additionally, monitoring connection stability and implementing automated restarts or failover mechanisms can reduce downtime caused by potential crashes. Developers should audit their use of rust-yamux to ensure no legacy versions remain in production. Incorporating fuzz testing and input validation improvements in the stream multiplexing logic can help prevent similar issues. Finally, maintaining up-to-date dependency management and vulnerability scanning in the software supply chain will aid in early detection and remediation of such vulnerabilities.
Affected Countries
United States, Germany, China, Japan, South Korea, United Kingdom, Canada, France, Netherlands, Singapore
CVE-2026-32314: CWE-248: Uncaught Exception in libp2p rust-yamux
Description
CVE-2026-32314 is a high-severity vulnerability in the Rust implementation of Yamux, a stream multiplexer used in libp2p. The flaw allows a remote attacker to cause a panic (crash) in the connection state machine by sending a specially crafted inbound Data frame with SYN set and a body length exceeding the default credit limit. This triggers an uncaught exception due to improper cleanup of temporary stream state, leading to denial of service. Exploitation requires no authentication or user interaction and is achievable over a normal Yamux session. The issue affects versions prior to 0. 13. 10 and has been fixed in that release. No known exploits are currently reported in the wild. Organizations using libp2p with rust-yamux should update immediately to mitigate potential service disruptions.
AI-Powered Analysis
Technical Analysis
Yamux is a stream multiplexer protocol that manages multiple logical streams over a single reliable, ordered connection such as TCP/IP. The Rust implementation of Yamux, rust-yamux, prior to version 0.13.10, contains a vulnerability (CVE-2026-32314) classified under CWE-248 (Uncaught Exception). The vulnerability arises when processing an inbound Data frame that is crafted with the SYN flag set and a body length greater than the DEFAULT_CREDIT threshold (e.g., 262,145 bytes). Upon receiving the first packet of a new inbound stream, rust-yamux creates stream state and queues a receiver before validating the oversized body length. If the validation fails, the temporary stream is dropped, and during cleanup, a call to remove(...).expect("stream not found") is made. Because the stream has already been dropped, this call triggers a panic in the connection state machine, causing the entire Yamux connection to crash. This panic is remotely reachable without any authentication or user interaction, making it a critical denial-of-service vector. The vulnerability affects all rust-yamux versions before 0.13.10 and has been addressed in that version. The CVSS 4.0 base score is 8.7, reflecting high severity due to remote exploitability, no required privileges, and a significant impact on availability. No known exploits have been reported in the wild as of the publication date.
Potential Impact
The primary impact of CVE-2026-32314 is a denial-of-service condition where an attacker can remotely crash the Yamux connection state machine, disrupting communication channels that rely on rust-yamux for multiplexing streams. This can lead to service outages, degraded performance, and potential cascading failures in distributed systems or peer-to-peer networks that use libp2p with rust-yamux. Since no authentication or user interaction is required, attackers can exploit this vulnerability at scale, potentially targeting critical infrastructure, blockchain nodes, decentralized applications, or any service relying on libp2p for network communication. The disruption of stream multiplexing can affect data integrity indirectly by interrupting data flows and may also impact availability of services dependent on stable connections. Organizations with deployments using vulnerable versions risk operational instability and potential loss of trust from users or clients.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade rust-yamux to version 0.13.10 or later, where the issue is fixed. In environments where immediate upgrade is not feasible, network-level filtering can be implemented to detect and block inbound Data frames with suspiciously large body lengths exceeding DEFAULT_CREDIT thresholds, although this is a less reliable workaround. Additionally, monitoring connection stability and implementing automated restarts or failover mechanisms can reduce downtime caused by potential crashes. Developers should audit their use of rust-yamux to ensure no legacy versions remain in production. Incorporating fuzz testing and input validation improvements in the stream multiplexing logic can help prevent similar issues. Finally, maintaining up-to-date dependency management and vulnerability scanning in the software supply chain will aid in early detection and remediation of such vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T21:16:21.660Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b473bd2f860ef943aa940a
Added to database: 3/13/2026, 8:29:49 PM
Last enriched: 3/13/2026, 8:44:24 PM
Last updated: 3/13/2026, 11:07:53 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.