{"url":"http://public2.vulnerablecode.io/api/packages/103360?format=json","purl":"pkg:deb/debian/rust-yamux@0.13.10%2Bds-2?distro=trixie","type":"deb","namespace":"debian","name":"rust-yamux","version":"0.13.10+ds-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.13.9+ds-1","latest_non_vulnerable_version":"0.13.10+ds-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76962?format=json","vulnerability_id":"VCID-uunt-aehm-nqfk","summary":"Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. Prior to 0.13.10, the Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(...).expect(\"stream not found\"), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. This vulnerability is fixed in 0.13.10.","references":[{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130752","reference_id":"1130752","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130752"},{"reference_url":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338","reference_id":"GHSA-vxx9-2994-q338","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-16T13:47:55Z/"}],"url":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-vxx9-2994-q338"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103362?format=json","purl":"pkg:deb/debian/rust-yamux@0.13.10%2Bds-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-yamux@0.13.10%252Bds-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103360?format=json","purl":"pkg:deb/debian/rust-yamux@0.13.10%2Bds-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-yamux@0.13.10%252Bds-2%3Fdistro=trixie"}],"aliases":["CVE-2026-32314"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uunt-aehm-nqfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71414?format=json","vulnerability_id":"VCID-x34g-nugc-eua3","summary":"Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. From 0.13.0 to before 0.13.9, a specially crafted WindowUpdate can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication. This vulnerability is fixed in 0.13.9.","references":[{"reference_url":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7","reference_id":"GHSA-4w32-2493-32g7","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-13T19:37:53Z/"}],"url":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/103361?format=json","purl":"pkg:deb/debian/rust-yamux@0.13.9%2Bds-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-yamux@0.13.9%252Bds-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/103360?format=json","purl":"pkg:deb/debian/rust-yamux@0.13.10%2Bds-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-yamux@0.13.10%252Bds-2%3Fdistro=trixie"}],"aliases":["CVE-2026-31814"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x34g-nugc-eua3"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/rust-yamux@0.13.10%252Bds-2%3Fdistro=trixie"}