CVE-2026-32941 in Sliver
Summary
by MITRE • 03/20/2026
Sliver is a command and control framework that uses a custom Wireguard netstack. Versions 1.7.3 and below contain a Remote OOM (Out-of-Memory) vulnerability in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single allocations of up to ~2 GiB. A compromised implant or an attacker with valid credentials can exploit this by sending fabricated length prefixes over concurrent yamux streams (up to 128 per connection), forcing the server to attempt allocating ~256 GiB of memory and triggering an OS OOM kill. This crashes the Sliver server, disrupts all active implant sessions, and may degrade or kill other processes sharing the same host. The same pattern also affects all implant-side readers, which have no upper-bound check at all. The issue was not fixed at the the time of publication.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability CVE-2026-32941 represents a critical remote out-of-memory condition affecting Sliver C2 frameworks version 1.7.3 and earlier. This issue stems from improper memory allocation handling within the framework's custom WireGuard netstack implementation, specifically in the mTLS and WireGuard C2 transport layer components. The flaw manifests in the socketReadEnvelope and socketWGReadEnvelope functions which blindly trust attacker-controlled 4-byte length prefixes when determining memory allocation sizes. This design oversight creates a path for remote attackers to manipulate memory consumption patterns through crafted network packets, fundamentally undermining the server's stability and operational integrity.
The technical exploitation mechanism leverages the ServerMaxMessageSize parameter which permits individual memory allocations up to approximately 2 gigabytes. When combined with concurrent yamux stream utilization, attackers can send malicious length prefixes across up to 128 concurrent streams simultaneously. This coordinated approach results in the server attempting to allocate approximately 256 gigabytes of memory in a single operation, triggering operating system out-of-memory killer mechanisms. The vulnerability operates at the transport layer level, affecting both server-side and implant-side components, with the latter lacking any upper-bound memory checks entirely. This dual impact means that exploitation can occur from multiple vectors, increasing the attack surface and potential for successful compromise.
The operational impact of this vulnerability extends beyond simple service disruption to encompass complete operational degradation of the C2 infrastructure. When the Sliver server crashes due to memory exhaustion, all active implant sessions are terminated, effectively severing communication channels between the command and control server and compromised hosts. This disruption can compromise ongoing operations, potentially leading to loss of intelligence gathering capabilities or operational tempo. Additionally, the memory exhaustion can cause cascading effects on other processes running on the same host system, potentially affecting unrelated services or applications that share system resources. The vulnerability's persistence in the codebase at publication time indicates a critical gap in security testing and validation processes, as this type of memory handling error represents a fundamental flaw in resource management.
This vulnerability maps directly to CWE-129 and CWE-770 within the Common Weakness Enumeration framework, specifically addressing improper input validation and insufficient resource management issues. The attack pattern aligns with ATT&CK techniques categorized under T1071.004 (Application Layer Protocol: DNS) and T1499.004 (Endpoint Denial of Service), as the exploitation targets network protocol implementations to achieve denial of service conditions. The lack of input validation in memory allocation decisions creates a direct path for attackers to consume excessive system resources, while the absence of bounds checking on implant-side readers provides additional attack vectors. The vulnerability demonstrates poor adherence to secure coding practices and highlights the critical importance of implementing proper resource limits and input sanitization in network protocol implementations. Organizations should immediately implement network segmentation and monitoring to detect anomalous memory allocation patterns, while also planning urgent upgrades to mitigate this persistent threat to their operational security infrastructure.