CVE-2026-32941
CVE-2026-32941 is a medium-severity vulnerability in Bishopfox Sliver with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 5.7
- EPSS exploit prediction: 0% (22nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13518
- Weakness: CWE-770
- Affected product: Bishopfox Sliver
- Published:
- Last modified:
Description
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
Frequently asked questions
- What is CVE-2026-32941?
- Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
- How severe is CVE-2026-32941?
- CVE-2026-32941 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-32941 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (22nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-32941?
- CVE-2026-32941 affects Bishopfox Sliver. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-32941?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-32941 have an EU (EUVD) identifier?
- Yes. CVE-2026-32941 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13518.
- When was CVE-2026-32941 published?
- CVE-2026-32941 was published on 2026-03-20 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*
More vulnerabilities in Bishopfox Sliver
- CVE-2026-34227 — High (CVSS 8.8): Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click…
- CVE-2023-34758 — High (CVSS 8.1): Sliver from v1.5.x to v1.5.39 has an improper cryptographic implementation, which allows attackers to execute a…
- CVE-2026-25791 — High (CVSS 7.5): Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.7.0, the DNS C2 listener…
- CVE-2026-29781 — Medium (CVSS 6.5): Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a…
- CVE-2026-25760 — Medium (CVSS 6.5): Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in…
- CVE-2025-27090 — Medium (CVSS 5.3): Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all…
All CVEs affecting Bishopfox Sliver →
Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities
- CVE-2026-31283 — Critical (CVSS 9.8): In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email…
- CVE-2020-37067 — Critical (CVSS 9.8): Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers…
- CVE-2021-47875 — Critical (CVSS 9.8): GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the…
- CVE-2025-11832 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling vulnerability in Azure Access Technology BLU-IC2, Azure Access…
- CVE-2024-44241 — Critical (CVSS 9.8): The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1, macOS Sequoia…
- CVE-2022-3439 — Critical (CVSS 9.8): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0.
Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →