Skip to main content

Rust CVE-2026-32314

| EUVDEUVD-2026-12095 HIGH
Uncaught Exception (CWE-248)
2026-03-13 GitHub_M GHSA-vxx9-2994-q338
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 21:01 euvd
EUVD-2026-12095
Analysis Generated
Mar 13, 2026 - 21:01 vuln.today
CVE Published
Mar 13, 2026 - 19:53 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 cargo packages depend on yamux (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.13.10.

DescriptionGitHub Advisory

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.

AnalysisAI

Rust Yamux prior to version 0.13.10 is vulnerable to denial of service when processing specially crafted inbound stream frames that combine the SYN flag with oversized body lengths, causing the connection handler to panic due to improper state cleanup. An unauthenticated remote attacker can trigger this panic over any normal Yamux session without special privileges, crashing affected applications. No patch is currently available for this high-severity vulnerability.

Technical ContextAI

Yamux is a stream multiplexing protocol library that enables multiple logical streams over a single reliable connection like TCP/IP, commonly used in peer-to-peer and distributed systems. The vulnerability stems from improper error handling (CWE-248) in the Rust implementation where the code fails to properly validate oversized Data frames before creating stream state. When an inbound Data frame sets the SYN flag and includes a body length exceeding DEFAULT_CREDIT (262145 bytes), the implementation creates temporary stream state and queues a receiver before completing validation. When validation subsequently fails, cleanup code calls remove().expect() on a stream that was never fully established, causing a panic in the connection state machine.

RemediationAI

The primary remediation is to upgrade the Yamux Rust library to version 0.13.10 or later, which contains the fix for this vulnerability. Development teams should update their Cargo.toml dependencies to specify yamux = "0.13.10" or higher and rebuild affected applications. As a temporary mitigation, consider implementing connection rate limiting and monitoring for unusual connection patterns that could indicate exploitation attempts. Network segmentation to limit exposure of services using Yamux to untrusted networks can also reduce attack surface until patching is complete.

More in Rust

View all
CVE-2024-3566 CRITICAL POC
9.8 Apr 10

Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH

CVE-2021-31162 CRITICAL POC
9.8 Apr 14

In the standard library in Rust before 1.52.0, a double free can occur in the Vec::from_iter function if freeing the ele

CVE-2021-28879 CRITICAL POC
9.8 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation can report an incorrect size due to an integer ove

CVE-2021-29922 CRITICAL POC
9.1 Aug 07

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginni

CVE-2019-12083 HIGH POC
8.1 May 13

The Rust Programming Language Standard Library 1.34.x before 1.34.2 contains a stabilized method which, if overridden, c

CVE-2021-28878 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation calls __iterator_get_unchecked() more than once fo

CVE-2021-28875 HIGH POC
7.5 Apr 11

In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe c

CVE-2019-16760 HIGH POC
7.5 Sep 30

Cargo prior to Rust 1.26.0 may download the wrong dependency if your package.toml file uses the `package` configuration

CVE-2024-24576 CRITICAL
10.0 Apr 09

Rust is a programming language. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no auth

CVE-2018-1000810 CRITICAL
9.8 Oct 08

The Rust Programming Language Standard Library version 1.29.0, 1.28.0, 1.27.2, 1.27.1, 127.0, 126.2, 126.1, 126.0 contai

CVE-2021-28876 MEDIUM POC
5.3 Apr 11

In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. Rated medium severity (C

CVE-2019-1010299 MEDIUM POC
5.3 Jul 15

The Rust Programming Language Standard Library 1.18.0 and later is affected by: CWE-200: Information Exposure. Rated med

Share

CVE-2026-32314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy