CVE-2026-24889 Overview
CVE-2026-24889 is an Integer Overflow vulnerability affecting the Soroban SDK, a Rust SDK for building Soroban smart contracts on the Stellar blockchain. The vulnerability exists in the Bytes::slice, Vec::slice, and Prng::gen_range (for u64) methods in versions up to and including 25.0.1, 23.5.1, and 25.0.2. When arithmetic operations on range bounds are performed without overflow checks, the values can silently wrap around, causing the affected methods to operate on incorrect data ranges or generate random numbers from unintended ranges.
Critical Impact
Smart contracts using user-controlled or computed range bounds with affected methods may experience corrupted contract state, potentially leading to integrity issues in blockchain operations.
Affected Products
- soroban-sdk versions up to and including 25.0.1
- soroban-sdk versions up to and including 23.5.1
- soroban-sdk versions up to and including 25.0.2
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24889 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24889
Vulnerability Analysis
This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The core issue lies in how range bounds are processed in the slice and gen_range methods. When handling Bound::Excluded ranges, the code performs direct arithmetic operations (*s + 1 or *b - 1) without checking for potential overflow conditions. In Rust, when overflow-checks is disabled (which is the default for release builds unless explicitly enabled), these operations silently wrap around instead of panicking.
For example, if a Bound::Excluded start bound is set to u32::MAX (4294967295) in the slice method, adding 1 would cause the value to wrap to 0, resulting in an incorrect slice range. Similarly, in Prng::gen_range for u64, passing Bound::Excluded(0) for an end bound would cause subtraction underflow, wrapping to u64::MAX.
Root Cause
The root cause is the use of bare arithmetic operations (+ and -) on range bounds without explicit overflow checking. The vulnerable code paths relied on Rust's overflow-checks compiler flag to catch these conditions, but this setting is disabled by default in release profiles. Contracts that did not explicitly configure overflow-checks = true in their Cargo profiles were susceptible to silent arithmetic wraparound.
Attack Vector
This vulnerability can be exploited remotely through network-accessible smart contracts. An attacker could craft malicious input values for contract functions that pass user-controlled range bounds to the affected methods. The attack requires no authentication and does not require user interaction.
The exploitation scenario involves:
- Identifying a Soroban contract that uses Bytes::slice, Vec::slice, or Prng::gen_range with user-controllable bounds
- Supplying range bounds at or near integer boundary values (e.g., u32::MAX or 0 for excluded bounds)
- Triggering the arithmetic overflow to cause the contract to operate on unintended data ranges
// Vulnerable code (before patch) - bytes.rs slice method
pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
let start_bound = match r.start_bound() {
Bound::Included(s) => *s,
Bound::Excluded(s) => *s + 1, // VULNERABLE: overflow if s == u32::MAX
Bound::Unbounded => 0,
};
let end_bound = match r.end_bound() {
Bound::Included(s) => *s + 1, // VULNERABLE: overflow if s == u32::MAX
Bound::Excluded(s) => *s,
Bound::Unbounded => self.len(),
};
Source: GitHub Commit
// Fixed code (after patch) - bytes.rs slice method with checked arithmetic
pub fn slice(&self, r: impl RangeBounds<u32>) -> Self {
let start_bound = match r.start_bound() {
Bound::Included(s) => *s,
Bound::Excluded(s) => s
.checked_add(1)
.expect_optimized("attempt to add with overflow"),
Bound::Unbounded => 0,
};
let end_bound = match r.end_bound() {
Bound::Included(s) => s
.checked_add(1)
.expect_optimized("attempt to add with overflow"),
Bound::Excluded(s) => *s,
Bound::Unbounded => self.len(),
};
Source: GitHub Commit
Detection Methods for CVE-2026-24889
Indicators of Compromise
- Unexpected contract state changes when processing boundary value inputs
- Contract operations producing results inconsistent with specified ranges
- Random number generation producing values outside expected ranges in contracts using Prng::gen_range
- Contract logs showing slice operations on unexpectedly large or wrapped ranges
Detection Strategies
- Audit Soroban contract dependencies to identify use of soroban-sdk versions prior to the patched releases (v22.0.9, v23.5.1, v25.0.2)
- Review contract code for usage of Bytes::slice, Vec::slice, or Prng::gen_range methods with user-controlled inputs
- Check Cargo.toml profile configurations for overflow-checks settings; absence of overflow-checks = true in release profiles indicates potential vulnerability
- Analyze contract transaction history for inputs containing boundary values (e.g., u32::MAX, u64::MAX, or 0) passed to slice or range operations
Monitoring Recommendations
- Monitor contract invocations for parameters containing maximum integer values that could trigger overflow conditions
- Implement contract-level input validation logging to capture suspicious range bound values
- Set up alerts for contract state anomalies that could indicate data corruption from overflow exploitation
- Review smart contract audit reports for any findings related to integer overflow in range operations
How to Mitigate CVE-2026-24889
Immediate Actions Required
- Update soroban-sdk to patched versions: v22.0.9, v23.5.1, or v25.0.2 depending on your version branch
- Audit existing contracts for usage of affected methods (Bytes::slice, Vec::slice, Prng::gen_range) with user-controlled inputs
- Enable overflow-checks = true in Cargo.toml release profiles as a defense-in-depth measure
- Validate range bounds in contract logic before passing them to slice or gen_range methods
Patch Information
The fix replaces bare arithmetic operations with checked_add and checked_sub methods, ensuring overflow conditions trap regardless of the overflow-checks profile setting. Patched versions are available:
For detailed patch information, see the GitHub Security Advisory GHSA-96xm-fv9w-pf3f and the associated pull request #1703.
Workarounds
- Configure overflow-checks = true in the contract's Cargo.toml release profile to catch arithmetic overflows at runtime
- Implement manual bounds validation in contract code before calling slice or gen_range methods with user-provided values
- Use the contract boilerplate generated by stellar contract init which enables overflow checks by default
- For Prng::gen_range, ensure exclusive bounds are never 0 (for end) or u64::MAX (for start) when using excluded bounds
# Cargo.toml - Recommended profile configuration
[profile.release]
overflow-checks = true
opt-level = "z"
lto = true
codegen-units = 1
panic = "abort"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
