CVE-2026-32314

Name of the Vulnerable Software and Affected Versions Yamux versions prior to 0.13.10

Description Yamux is a stream multiplexer operating over reliable, ordered connections like TCP/IP. The Rust implementation of Yamux, before version 0.13.10, is susceptible to a panic when processing a specifically crafted inbound Data frame. This frame sets the SYN flag and utilizes a body length exceeding the DEFAULT CREDIT value (for example, 262145). During the initial packet of a new inbound stream, stream state is created and a receiver is queued before the validation of the oversized body completes. If validation fails, the temporary stream is dropped, and the cleanup process may call remove(...).expect("stream not found"), which triggers a panic within the connection state machine. This issue is remotely exploitable through a standard Yamux session without requiring authentication. The vulnerability occurs because stream state is created and a receiver is queued before oversized-body validation is complete.

Recommendations Versions prior to 0.13.10 should be upgraded to version 0.13.10.