Approved changes feed: RSS · Atom
cpe:2.3:a:protocol:yamux:*:*:*:*:*:rust:*:*
part: a version: * update: *
| Vendor | Protocol (f2b98f42-7d41-5397-b702-40a5f7aae0b0) |
|---|---|
| Product | Yamux (fde6c8f9-4d19-5b9b-8743-7a2c39ba939d) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | rust |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-32314 |
vulnerable | 2026-06-03 15:20:42.754201 |
Yamux remote Panic via malformed Data frame with SYN set and len = 262145
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect("stream not found"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.
Published: 2026-03-13T19:53:08.823Z
Updated: 2026-03-16T13:48:29.665Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-31814 |
vulnerable | 2026-06-03 15:20:41.140996 |
Yamux remote Panic via malformed WindowUpdate credit
Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.
Published: 2026-03-13T19:19:41.879Z
Updated: 2026-03-13T19:38:02.290Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.