Source: rust-yamux
Version: 0.13.9+ds-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-yamux.
CVE-2026-32314[0]:
| Yamux is a stream multiplexer over reliable, ordered connections
| such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux
| can panic when processing a crafted inbound Data frame that sets SYN
| and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On
| the first packet of a new inbound stream, stream state is created
| and a receiver is queued before oversized-body validation completes.
| When validation fails, the temporary stream is dropped and cleanup
| may call remove(...).expect("stream not found"), triggering a panic
| in the connection state machine. This is remotely reachable over a
| normal Yamux session and does not require authentication. This
| vulnerability is fixed in 0.13.10.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-32314
https://www.cve.org/CVERecord?id=CVE-2026-32314
[1] https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338
[2]
https://github.com/libp2p/rust-yamux/commit/ac71745226b99191249bbbb0420aceba052c150c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
