CVE-2026-32314: Yamux vulnerable to remote Panic via malformed Data frame with SYN set and len = 262145

The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(…).expect(“stream not found”), triggering a panic in the connection state machine. This is remotely reachable over a normal Yamux session and does not require authentication. kind of vulnerability is it? Who is