Skip to content

fix(deps): upgrade yamux to v0.13.10 (CVE-2026-32314)#213

Merged
platinummonkey merged 1 commit into
mainfrom
fix/dependabot-yamux-vuln
Mar 18, 2026
Merged

fix(deps): upgrade yamux to v0.13.10 (CVE-2026-32314)#213
platinummonkey merged 1 commit into
mainfrom
fix/dependabot-yamux-vuln

Conversation

@platinummonkey
Copy link
Copy Markdown
Collaborator

@platinummonkey platinummonkey commented Mar 18, 2026

Summary

Upgrades yamux from v0.13.9 to v0.13.10 to resolve Dependabot alert #4 (GHSA-vxx9-2994-q338 / CVE-2026-32314), a high-severity remote panic vulnerability.

Changes

  • Cargo.lock: bumped yamux 0.13.9 → 0.13.10

Security Details

yamux < 0.13.10 panics when processing a crafted inbound Data frame with SYN set and body length > DEFAULT_CREDIT (262145). The panic is remotely reachable without authentication and can crash the process.

Testing

  • All 447 unit tests pass (cargo test)

Related Issues

Closes https://github.com/datadog-labs/pup/security/dependabot/4

🤖 Generated with Claude Code

@platinummonkey @claude
fix(deps): upgrade yamux to v0.13.10 (CVE-2026-32314)
6ce6319 
Resolves Dependabot alert #4 (GHSA-vxx9-2994-q338).

yamux < 0.13.10 can panic when processing a crafted inbound Data frame
with SYN set and body length > DEFAULT_CREDIT (262145). The panic is
remotely reachable without authentication.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@platinummonkey platinummonkey merged commit 0e4c545 into main Mar 18, 2026
7 checks passed
@platinummonkey platinummonkey deleted the fix/dependabot-yamux-vuln branch March 18, 2026 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@platinummonkey