Yamux is a stream multiplexer protocol that manages multiple streams over reliable, ordered connections such as TCP/IP. The Rust implementation of Yamux, used in libp2p, prior to version 0.13.10 contains a vulnerability identified as CVE-2026-32314. The vulnerability arises when processing a specially crafted inbound Data frame that sets the SYN flag and specifies a body length exceeding the DEFAULT_CREDIT threshold (e.g., 262,145 bytes). On receiving the first packet of a new inbound stream, the implementation prematurely creates stream state and queues a receiver before validating the oversized body length. When the validation fails, the temporary stream is dropped, but the cleanup process calls remove(...).expect("stream not found"), which triggers a panic due to the stream being absent from the connection state machine. This uncaught exception causes the connection to crash, resulting in a denial of service. The flaw is remotely exploitable without requiring authentication or user interaction, making it accessible to any attacker able to establish a Yamux session. The vulnerability is classified under CWE-248 (Uncaught Exception) and has a CVSS 4.0 score of 8.7, indicating high severity. The issue is resolved in rust-yamux version 0.13.10. No public exploits are known at this time, but the vulnerability's nature makes it a significant risk for systems relying on libp2p's rust-yamux for multiplexed stream management.

This vulnerability can lead to denial of service (DoS) by crashing the connection state machine of applications using rust-yamux versions prior to 0.13.10. Since libp2p is widely used in decentralized networks, peer-to-peer applications, blockchain nodes, and distributed systems, exploitation could disrupt communication channels, degrade service availability, and potentially cause cascading failures in dependent services. The lack of authentication requirement and ease of remote exploitation increase the risk of widespread attacks. Organizations relying on libp2p for critical infrastructure, decentralized applications, or blockchain networks could face service interruptions, impacting business continuity and user trust. Additionally, attackers might leverage this DoS to facilitate further attacks by creating network instability or distracting defenders.

The primary mitigation is to upgrade rust-yamux to version 0.13.10 or later, where the vulnerability is fixed. Organizations should audit their dependencies to identify usage of vulnerable rust-yamux versions and apply patches promptly. For environments where immediate upgrade is not feasible, implementing network-level controls to restrict or monitor inbound Yamux sessions can reduce exposure. Rate limiting inbound connections and validating incoming frames at the application layer may help detect and block malformed packets attempting to exploit this flaw. Additionally, integrating robust error handling and recovery mechanisms in applications using rust-yamux can mitigate the impact of unexpected panics. Continuous monitoring for unusual connection terminations or crashes related to Yamux streams is recommended to detect exploitation attempts early.