Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24889

CVE-2026-24889: Soroban SDK Buffer Overflow Vulnerability

CVE-2026-24889 is a buffer overflow vulnerability in the Soroban SDK for Rust smart contracts that triggers arithmetic overflow in slice and random number methods. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-24889 Overview

CVE-2026-24889 is an Integer Overflow vulnerability affecting the Soroban SDK, a Rust SDK for building Soroban smart contracts on the Stellar blockchain. The vulnerability exists in the Bytes::slice, Vec::slice, and Prng::gen_range (for u64) methods in versions up to and including 25.0.1, 23.5.1, and 25.0.2. When arithmetic operations on range bounds are performed without overflow checks, the values can silently wrap around, causing the affected methods to operate on incorrect data ranges or generate random numbers from unintended ranges.

Critical Impact

Smart contracts using user-controlled or computed range bounds with affected methods may experience corrupted contract state, potentially leading to integrity issues in blockchain operations.

Affected Products

  • soroban-sdk versions up to and including 25.0.1
  • soroban-sdk versions up to and including 23.5.1
  • soroban-sdk versions up to and including 25.0.2

Discovery Timeline

  • 2026-01-28 - CVE CVE-2026-24889 published to NVD
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-24889

Vulnerability Analysis

This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The core issue lies in how range bounds are processed in the slice and gen_range methods. When handling Bound::Excluded ranges, the code performs direct arithmetic operations (*s + 1 or *b - 1) without checking for potential overflow conditions. In Rust, when overflow-checks is disabled (which is the default for release builds unless explicitly enabled), these operations silently wrap around instead of panicking.

For example, if a Bound::Excluded start bound is set to u32::MAX (4294967295) in the slice method, adding 1 would cause the value to wrap to 0, resulting in an incorrect slice range. Similarly, in Prng::gen_range for u64, passing Bound::Excluded(0) for an end bound would cause subtraction underflow, wrapping to u64::MAX.

Root Cause

The root cause is the use of bare arithmetic operations (+ and -) on range bounds without explicit overflow checking. The vulnerable code paths relied on Rust's overflow-checks compiler flag to catch these conditions, but this setting is disabled by default in release profiles. Contracts that did not explicitly configure overflow-checks = true in their Cargo profiles were susceptible to silent arithmetic wraparound.

Attack Vector

This vulnerability can be exploited remotely through network-accessible smart contracts. An attacker could craft malicious input values for contract functions that pass user-controlled range bounds to the affected methods. The attack requires no authentication and does not require user interaction.

The exploitation scenario involves:

  1. Identifying a Soroban contract that uses Bytes::slice, Vec::slice, or Prng::gen_range with user-controllable bounds
  2. Supplying range bounds at or near integer boundary values (e.g., u32::MAX or 0 for excluded bounds)
  3. Triggering the arithmetic overflow to cause the contract to operate on unintended data ranges
rust
// Vulnerable code (before patch) - bytes.rs slice method
pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
    let start_bound = match r.start_bound() {
        Bound::Included(s) => *s,
        Bound::Excluded(s) => *s + 1,  // VULNERABLE: overflow if s == u32::MAX
        Bound::Unbounded => 0,
    };
    let end_bound = match r.end_bound() {
        Bound::Included(s) => *s + 1,  // VULNERABLE: overflow if s == u32::MAX
        Bound::Excluded(s) => *s,
        Bound::Unbounded => self.len(),
    };

Source: GitHub Commit

rust
// Fixed code (after patch) - bytes.rs slice method with checked arithmetic
pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
    let start_bound = match r.start_bound() {
        Bound::Included(s) => *s,
        Bound::Excluded(s) => s
            .checked_add(1)
            .expect_optimized("attempt to add with overflow"),
        Bound::Unbounded => 0,
    };
    let end_bound = match r.end_bound() {
        Bound::Included(s) => s
            .checked_add(1)
            .expect_optimized("attempt to add with overflow"),
        Bound::Excluded(s) => *s,
        Bound::Unbounded => self.len(),
    };

Source: GitHub Commit

Detection Methods for CVE-2026-24889

Indicators of Compromise

  • Unexpected contract state changes when processing boundary value inputs
  • Contract operations producing results inconsistent with specified ranges
  • Random number generation producing values outside expected ranges in contracts using Prng::gen_range
  • Contract logs showing slice operations on unexpectedly large or wrapped ranges

Detection Strategies

  • Audit Soroban contract dependencies to identify use of soroban-sdk versions prior to the patched releases (v22.0.9, v23.5.1, v25.0.2)
  • Review contract code for usage of Bytes::slice, Vec::slice, or Prng::gen_range methods with user-controlled inputs
  • Check Cargo.toml profile configurations for overflow-checks settings; absence of overflow-checks = true in release profiles indicates potential vulnerability
  • Analyze contract transaction history for inputs containing boundary values (e.g., u32::MAX, u64::MAX, or 0) passed to slice or range operations

Monitoring Recommendations

  • Monitor contract invocations for parameters containing maximum integer values that could trigger overflow conditions
  • Implement contract-level input validation logging to capture suspicious range bound values
  • Set up alerts for contract state anomalies that could indicate data corruption from overflow exploitation
  • Review smart contract audit reports for any findings related to integer overflow in range operations

How to Mitigate CVE-2026-24889

Immediate Actions Required

  • Update soroban-sdk to patched versions: v22.0.9, v23.5.1, or v25.0.2 depending on your version branch
  • Audit existing contracts for usage of affected methods (Bytes::slice, Vec::slice, Prng::gen_range) with user-controlled inputs
  • Enable overflow-checks = true in Cargo.toml release profiles as a defense-in-depth measure
  • Validate range bounds in contract logic before passing them to slice or gen_range methods

Patch Information

The fix replaces bare arithmetic operations with checked_add and checked_sub methods, ensuring overflow conditions trap regardless of the overflow-checks profile setting. Patched versions are available:

For detailed patch information, see the GitHub Security Advisory GHSA-96xm-fv9w-pf3f and the associated pull request #1703.

Workarounds

  • Configure overflow-checks = true in the contract's Cargo.toml release profile to catch arithmetic overflows at runtime
  • Implement manual bounds validation in contract code before calling slice or gen_range methods with user-provided values
  • Use the contract boilerplate generated by stellar contract init which enables overflow checks by default
  • For Prng::gen_range, ensure exclusive bounds are never 0 (for end) or u64::MAX (for start) when using excluded bounds
toml
# Cargo.toml - Recommended profile configuration
[profile.release]
overflow-checks = true
opt-level = "z"
lto = true
codegen-units = 1
panic = "abort"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.