{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32941", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T00:05:53.283Z", "datePublished": "2026-03-20T03:37:40.884Z", "dateUpdated": "2026-03-21T02:53:38.174Z"}, "containers": {"cna": {"title": "Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc"}], "affected": [{"vendor": "BishopFox", "product": "sliver", "versions": [{"version": "<= 1.7.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:37:40.884Z"}, "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication."}], "source": {"advisory": "GHSA-97vp-pwqj-46qc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T02:53:15.841645Z", "id": "CVE-2026-32941", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:53:38.174Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32941", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T02:53:15.841645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T02:53:33.795Z"}}], "cna": {"title": "Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports", "source": {"advisory": "GHSA-97vp-pwqj-46qc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "BishopFox", "product": "sliver", "versions": [{"status": "affected", "version": "<= 1.7.3"}]}], "references": [{"url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc", "name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T03:37:40.884Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32941", "state": "PUBLISHED", "dateUpdated": "2026-03-21T02:53:38.174Z", "dateReserved": "2026-03-17T00:05:53.283Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T03:37:40.884Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F9D34DC-4587-4F54-A769-5B833439B841", "versionEndIncluding": "1.7.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication."}, {"lang": "es", "value": "Sliver es un framework de comando y control que utiliza una pila de red Wireguard personalizada. Las versiones 1.7.3 e inferiores contienen una vulnerabilidad remota de OOM (Out-of-Memory) en la capa de transporte mTLS y WireGuard C2 del servidor C2 de Sliver. Las funciones socketReadEnvelope y socketWGReadEnvelope conf\u00edan en un prefijo de longitud de 4 bytes controlado por el atacante para asignar memoria, con ServerMaxMessageSize permitiendo asignaciones \u00fanicas de hasta ~2 GiB. Un implante comprometido o un atacante con credenciales v\u00e1lidas puede explotar esto enviando prefijos de longitud fabricados a trav\u00e9s de flujos yamux concurrentes (hasta 128 por conexi\u00f3n), forzando al servidor a intentar asignar ~256 GiB de memoria y desencadenando una eliminaci\u00f3n OOM del sistema operativo. Esto bloquea el servidor de Sliver, interrumpe todas las sesiones de implantes activas y puede degradar o eliminar otros procesos que comparten el mismo host. El mismo patr\u00f3n tambi\u00e9n afecta a todos los lectores del lado del implante, que no tienen ninguna verificaci\u00f3n de l\u00edmite superior. El problema no se hab\u00eda solucionado en el momento de la publicaci\u00f3n."}], "id": "CVE-2026-32941", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T04:16:49.560", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-97vp-pwqj-46qc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}, {"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.7.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sliver", "source": "cna", "vendor": "BishopFox"}, "product": "sliver", "vendor": "bishopfox"}], "analysis": {"en": {"generated_at": "2026-03-24T13:42:46.354929+00:00", "value": {"mitigation_remediation": ["Upgrade Sliver to a version newer than 1.7.3 as soon as a patch is released.", "If an upgrade is not immediately possible, limit ServerMaxMessageSize and the maximum number of concurrent Yamux streams to reduce the potential allocation size.", "Continuously monitor the C2 server\u2019s memory usage and enforce automatic restart or containment policies when abnormal usage is detected.", "Revoke credentials for any compromised implants and regenerate new credentials for all active implants.", "Consider disabling the mTLS/WireGuard transport temporarily until the vulnerability is addressed, if such a change is operationally acceptable."], "summary": {"action": "Patch", "impact": "Out-of-Memory induced service disruption"}, "threat_synthesis": {"affected_systems": "BishopFox Sliver, versions 1.7.3 and earlier.", "description_and_impact": "An attacker who can authenticate to a Sliver C2 server or has taken control of an implant can send specially crafted 4\u2011byte length prefixes over the mTLS or WireGuard transport. The socketReadEnvelope and socketWGReadEnvelope functions use these prefixes to allocate a buffer, and because ServerMaxMessageSize is configured to allow allocations near 2\u202fGiB, a single malicious prefix can cause the server to request several hundred gigabytes of memory. The resulting out\u2011of\u2011memory condition triggers the operating system to kill the Sliver process, taking down all active implant sessions and potentially affecting other services running on the same host. This weakness matches CWE\u2011770 and CWE\u2011789, which describe uncontrolled allocation and missing bounds checking.", "risk_and_exploitability": "The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild and the vulnerability is not listed in CISA\u2019s KEV catalog. Successful exploitation requires legitimate credentials or a compromised implant; an attacker then needs to transmit up to 128 concurrent Yamux streams with fabricated length prefixes to reach the allocation limit. When triggered, the exploit causes a denial\u2011of\u2011service that disrupts the C2 server and may cause collateral damage to other processes on the host. Due to the authentication requirement, the risk is moderate for environments running unpatched Sliver, but a compromised implant elevates the threat level for any organization relying on those implants."}}}}, "created": "2026-03-20T08:52:46.837585+00:00", "updated": "2026-03-25T14:09:27.337275+00:00", "vendors": ["bishopfox", "bishopfox$PRODUCT$sliver"]}