CVE-2026-31814

Name of the Vulnerable Software and Affected Versions Yamux versions 0.13.0 through 0.13.8

Description Yamux is a stream multiplexer used over reliable, ordered connections like TCP/IP. A specially crafted WindowUpdate can lead to an arithmetic overflow in the send-window accounting, causing a panic in the connection state machine. This is remotely exploitable over a network connection without authentication. The issue involves accepting WindowUpdate credit values from a remote peer and applying them to per-stream send-window state. An attacker can establish a Yamux session and crash the target by sending a sequence of frames: opening a stream and then sending a WindowUpdate with a large credit value that overflows a u32 integer. This results in a remote, unauthenticated denial of service.

Recommendations Upgrade to Yamux version 0.13.9.