Skip to main content

Rust CVE-2026-31814

| EUVDEUVD-2026-12083 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-13 https://github.com/libp2p/rust-yamux GHSA-4w32-2493-32g7
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 16, 2026 - 14:54 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12083
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:57 nvd
HIGH 8.7

DescriptionGitHub Advisory

Sumary

The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state. A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.

Attack Scenario

An attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:

  1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (DEFAULT_CREDIT).
  2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.

Impact

Remote unauthenticated denial of service. An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.

Patches

Users should upgrade to yamux v0.13.9

This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program

AnalysisAI

Integer overflow in Rust's Yamux implementation allows unauthenticated remote attackers to crash target nodes by sending specially crafted WindowUpdate frames that trigger arithmetic overflow in stream send-window accounting. An attacker can establish a Yamux session and transmit malicious frames without authentication, causing a panic in the connection state machine and resulting in denial of service. A patch is available to address this high-severity vulnerability.

Technical ContextAI

Yamux is a stream multiplexing protocol implementation in Rust that manages multiple logical streams over a single connection. The vulnerability stems from improper validation of WindowUpdate credit values received from remote peers, leading to CWE-190 (Integer Overflow or Wraparound) when these values are added to the current send-window state. The flaw occurs in the connection state machine where arithmetic operations on u32 values can overflow when processing maliciously large credit values like 0xFFFF_0000. This implementation is commonly used in peer-to-peer networking applications, particularly in blockchain and distributed systems contexts as evidenced by the original discovery through the Ethereum Foundation bug bounty program.

RemediationAI

Upgrade the yamux Rust crate to version v0.13.9 or later, which contains the fix for this arithmetic overflow vulnerability. For systems that cannot immediately upgrade, implement network-level controls such as rate limiting on incoming connections and monitoring for repeated connection attempts that could indicate exploitation attempts. Consider implementing connection throttling or temporary IP blocking for sources that repeatedly establish and drop connections, as the attack requires reconnection to maintain denial of service. Review application logs for panic messages related to yamux stream handling that could indicate exploitation attempts.

More in Rust

View all
CVE-2024-3566 CRITICAL POC
9.8 Apr 10

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH

CVE-2021-31162 CRITICAL POC
9.8 Apr 14

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the ele

CVE-2021-28879 CRITICAL POC
9.8 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer ove

CVE-2021-29922 CRITICAL POC
9.1 Aug 07

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginni

CVE-2019-12083 HIGH POC
8.1 May 13

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, c

CVE-2021-28878 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once fo

CVE-2021-28875 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe c

CVE-2019-16760 HIGH POC
7.5 Sep 30

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration

CVE-2024-24576 CRITICAL
10.0 Apr 09

Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no auth

CVE-2018-1000810 CRITICAL
9.8 Oct 08

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contai

CVE-2021-28876 MEDIUM POC
5.3 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (C

CVE-2019-1010299 MEDIUM POC
5.3 Jul 15

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated med

Share

CVE-2026-31814 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy