Sliver, Remote OOM, CVE-2026-32941 (Critical)

Listen to this Post

The vulnerability exists within the Sliver C2 server’s mTLS and WireGuard transport layers, specifically in the `socketReadEnvelope` and `socketWGReadEnvelope` functions. These functions parse incoming network traffic by first reading a 4-byte length prefix that dictates the size of the subsequent message. This length value is provided by the attacker (or a compromised implant) and is trusted without proper validation against system constraints beyond a theoretical `ServerMaxMessageSize` of ~2 GiB. By opening concurrent yamux streams (up to 128 per connection), an attacker can send multiple fabricated length prefixes simultaneously. For each stream, the server attempts to allocate memory based on these malicious lengths. With 128 streams requesting ~2 GiB allocations, the server attempts to allocate roughly 256 GiB of memory. This rapid allocation spike triggers the operating system’s Out-Of-Memory (OOM) killer, which terminates the Sliver server process. This results in a complete denial of service, severing all active implant sessions and potentially impacting co-located processes. Additionally, the implant-side readers lack any upper-bound checks, making them equally vulnerable to crashes.
Platform: Sliver C2
Version: 1.7.3 and below
Vulnerability: Remote OOM DoS
Severity: Critical
date: 2026-03-24

Prediction: Patch unfixed; estimate 2026-05-01

What Undercode Say:

Simulate the allocation pattern by sending crafted length prefixes
Note: This is for educational analysis; requires valid credentials or implant access.
Using socat to send a 4-byte length prefix (0x7FFFFFFF) over mTLS port
This forces the server to attempt a 2GB allocation per stream.
echo -ne "\x7f\xff\xff\xff" | socat - OPENSSL-CONNECT:target-c2:8443,verify=0
Concurrent yamux stream exhaustion script concept
for i in {1..128}; do
(while true; do echo -ne "\x7f\xff\xff\xff"; sleep 0.1; done) | socat - OPENSSL-CONNECT:target-c2:8443,verify=0 &
done

Exploit:

Compromised implant or authenticated attacker sends crafted length prefixes across max yamux streams, forcing excessive memory allocation and triggering OS OOM kill.

Protection from this CVE

Apply upstream patch once released; enforce strict network rate limiting; monitor memory allocation patterns; deploy resource limits (cgroups) on server process.

Impact:

Complete C2 server crash, termination of all active implant sessions, disruption of operations, and potential cascading failures to co-located services.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top