CVE-2026-32941 is a resource exhaustion vulnerability in the Sliver command and control (C2) framework developed by BishopFox, specifically affecting versions 1.7.3 and earlier. Sliver uses a custom WireGuard network stack and mTLS for secure communication between implants and the C2 server. The vulnerability arises from the way the server processes incoming messages: the socketReadEnvelope and socketWGReadEnvelope functions parse a 4-byte length prefix from attacker-controlled input to determine memory allocation size. The ServerMaxMessageSize parameter allows single allocations of up to approximately 2 GiB. An attacker or a compromised implant with valid credentials can exploit this by sending maliciously crafted length prefixes across up to 128 concurrent yamux streams per connection. This can cause the server to attempt to allocate roughly 256 GiB of memory, overwhelming system resources and triggering an out-of-memory (OOM) kill by the operating system. This results in the Sliver server crashing, terminating all active implant sessions and potentially impacting other processes on the same host due to resource starvation. The same unchecked allocation pattern exists on the implant side, where no upper-bound checks are enforced, making implants vulnerable to similar OOM conditions. At the time of disclosure, no patches or fixes have been released. The vulnerability requires valid credentials to exploit but does not require user interaction, and the attack can be performed remotely over the network. The CVSS 4.0 base score is 5.7 (medium severity), reflecting the moderate ease of exploitation combined with significant availability impact but limited confidentiality or integrity impact.

The primary impact of CVE-2026-32941 is a denial-of-service (DoS) condition caused by resource exhaustion on the Sliver C2 server and implants. Organizations relying on Sliver for red team operations or adversary simulation may experience sudden and complete disruption of their C2 infrastructure, halting active implant sessions and potentially losing control over deployed implants. This can delay incident response, penetration testing, or threat emulation activities. Additionally, because the OOM kill can affect other processes on the host, critical systems running alongside the Sliver server may also be degraded or terminated, potentially impacting broader operational availability. The requirement for valid credentials limits exploitation to insiders or attackers who have already compromised an implant or obtained access, reducing the likelihood of widespread exploitation but increasing risk in environments where credential compromise is possible. The implant-side vulnerability further increases risk by allowing attackers to crash implants remotely, potentially alerting defenders or causing loss of implant persistence. Overall, the vulnerability threatens availability and operational continuity of red team infrastructure and may indirectly affect confidentiality and integrity by disrupting security testing and monitoring activities.

To mitigate CVE-2026-32941, organizations should immediately restrict access to the Sliver C2 server to trusted personnel and networks, minimizing the risk of credential compromise. Implement strict credential management and rotate credentials frequently to reduce the window of opportunity for attackers. Monitor network traffic for anomalous patterns such as multiple concurrent yamux streams with unusually large or malformed length prefixes, which may indicate exploitation attempts. Deploy resource limits at the operating system or container level (e.g., cgroups on Linux) to cap memory usage of the Sliver server process, preventing system-wide OOM conditions. Consider isolating the Sliver server on dedicated hosts or virtual machines to contain potential crashes and avoid collateral damage to other critical services. On the implant side, enforce strict input validation and implement upper-bound checks on memory allocations to prevent unbounded resource consumption. Until an official patch is released, consider using alternative C2 frameworks or updated Sliver versions if available. Engage with BishopFox or the community for updates and patches addressing this vulnerability. Finally, conduct regular security assessments to detect and remediate any unauthorized access or implant compromise.