Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Sumary
The Rust implementation of Yamux accepts WindowUpdate credit values from the remote peer and applies them to per-stream send-window state. A specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.
Attack Scenario
An attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:
- Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (
DEFAULT_CREDIT). - Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.
Impact
Remote unauthenticated denial of service. An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.
Patches
Users should upgrade to yamux v0.13.9
This vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program
AnalysisAI
Integer overflow in Rust's Yamux implementation allows unauthenticated remote attackers to crash target nodes by sending specially crafted WindowUpdate frames that trigger arithmetic overflow in stream send-window accounting. An attacker can establish a Yamux session and transmit malicious frames without authentication, causing a panic in the connection state machine and resulting in denial of service. A patch is available to address this high-severity vulnerability.
Technical ContextAI
Yamux is a stream multiplexing protocol implementation in Rust that manages multiple logical streams over a single connection. The vulnerability stems from improper validation of WindowUpdate credit values received from remote peers, leading to CWE-190 (Integer Overflow or Wraparound) when these values are added to the current send-window state. The flaw occurs in the connection state machine where arithmetic operations on u32 values can overflow when processing maliciously large credit values like 0xFFFF_0000. This implementation is commonly used in peer-to-peer networking applications, particularly in blockchain and distributed systems contexts as evidenced by the original discovery through the Ethereum Foundation bug bounty program.
RemediationAI
Upgrade the yamux Rust crate to version v0.13.9 or later, which contains the fix for this arithmetic overflow vulnerability. For systems that cannot immediately upgrade, implement network-level controls such as rate limiting on incoming connections and monitoring for repeated connection attempts that could indicate exploitation attempts. Consider implementing connection throttling or temporary IP blocking for sources that repeatedly establish and drop connections, as the attack requires reconnection to maintain denial of service. Review application logs for panic messages related to yamux stream handling that could indicate exploitation attempts.
Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH
In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the ele
In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer ove
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginni
The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, c
In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once fo
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe c
Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration
Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no auth
The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contai
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (C
The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated med
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12083
GHSA-4w32-2493-32g7