CVE-2024-32984

Name of the Vulnerable Software and Affected Versions Yamux (affected versions not specified)

Description Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames, which is not bounded in length. This vector can be remotely triggered to grow indefinitely by opening a new libp2p Identify stream or sending a Yamux Ping frame, causing the node to send its Identify message or a Pong frame, respectively. An attacker can use TCP's receive window mechanism to prevent the victim from sending out any data, leading to a memory overflow. This can result in the corresponding process getting terminated by the operating system. Depending on the application protocols running on top of rust-libp2p, higher amplification factors are possible, and the attack also drives up the victim's CPU load.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.