CVE-2026-32322 Overview
CVE-2026-32322 is an Improper Comparison vulnerability affecting the Stellar soroban-sdk, a Rust SDK for Soroban smart contracts. The vulnerability exists in the Fr (scalar field) types for BN254 and BLS12-381 cryptographic curves, where values are compared using their raw U256 representation without first reducing modulo the field modulus r. This causes mathematically equal field elements to compare as not-equal when one or both values are unreduced (i.e., >= r).
Critical Impact
Smart contracts relying on Fr equality checks for security-critical logic could produce incorrect results, potentially leading to authorization bypasses or validation failures in contracts that perform equality checks on user-supplied scalar values.
Affected Products
- stellar rs-soroban-sdk versions prior to 22.0.11
- stellar rs-soroban-sdk versions prior to 23.5.3
- stellar rs-soroban-sdk versions prior to 25.3.0
Discovery Timeline
- 2026-03-13 - CVE CVE-2026-32322 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32322
Vulnerability Analysis
The vulnerability (CWE-697: Incorrect Comparison) exists in the cryptographic implementation within the soroban-sdk. When performing equality comparisons on Fr (scalar field) elements for the BN254 and BLS12-381 elliptic curves, the SDK compares raw U256 representations directly rather than first normalizing the values by reducing them modulo the field modulus r.
In finite field arithmetic, any value greater than or equal to the field modulus r is mathematically equivalent to its reduced form (value mod r). By comparing unreduced values directly, two mathematically equal field elements can be evaluated as unequal when their representations differ. This is particularly dangerous in smart contract contexts where equality checks often gate security-critical decisions.
Root Cause
The root cause is the missing modular reduction step before performing equality comparisons on Fr types. The SDK's comparison logic operates on raw U256 byte representations instead of first ensuring both operands are in their canonical reduced form (0 ≤ value < r). This oversight allows semantically equivalent values to fail equality tests when at least one operand remains unreduced.
Attack Vector
The attack vector is network-based and requires an attacker to supply crafted Fr values through contract inputs. By providing unreduced scalar values (values >= r) that are mathematically equivalent to expected values when reduced, an attacker can cause equality checks to fail unexpectedly. The exploitation path requires:
- Identifying a target smart contract that performs Fr equality comparisons on user-supplied input
- Determining the expected value that the contract checks against
- Crafting an equivalent but unreduced representation of that value (original + k*r for some k >= 1)
- Submitting the crafted value through the contract interface
The vulnerability does not require authentication and has low attack complexity, though exploitation is limited to integrity impact without direct confidentiality or availability consequences.
Detection Methods for CVE-2026-32322
Indicators of Compromise
- Unexpected authorization failures or successes in Soroban smart contracts performing scalar field comparisons
- Contract execution results that differ from expected behavior when processing user-supplied cryptographic values
- Transaction logs showing unusual Fr field values that appear equivalent but produce different comparison outcomes
Detection Strategies
- Audit deployed Soroban contracts for direct Fr equality comparisons on user-controlled inputs
- Implement contract-level logging to capture Fr comparison operations and their results
- Review transaction history for patterns of failed equality checks followed by retry attempts with modified values
- Use static analysis tools to identify Fr comparison patterns in contract source code
Monitoring Recommendations
- Monitor smart contract interactions for anomalous authorization patterns that could indicate exploitation attempts
- Track soroban-sdk version usage across deployed contracts to identify vulnerable deployments
- Establish baseline behavior for contract Fr operations and alert on deviations
- Review the GitHub Security Advisory for additional technical indicators
How to Mitigate CVE-2026-32322
Immediate Actions Required
- Upgrade soroban-sdk to patched versions: 22.0.11, 23.5.3, or 25.3.0 depending on your current major version
- Audit existing smart contracts for Fr equality comparison patterns on user-supplied values
- Consider implementing additional validation logic at the contract level to normalize inputs before comparison
- Redeploy affected contracts using the patched SDK version
Patch Information
Stellar has released security patches addressing this vulnerability in soroban-sdk versions 22.0.11, 23.5.3, and 25.3.0. The fix ensures Fr values are properly reduced modulo the field modulus r before equality comparisons are performed. Detailed patch information is available in the GitHub Security Advisory GHSA-x2hw-px52-wp4m.
Workarounds
- Avoid performing direct Fr equality comparisons on user-supplied values until patches are applied
- Implement application-level input validation to reject Fr values that are >= field modulus r
- Route scalar comparisons through host-side arithmetic operations which properly handle reduction
- Consider adding explicit modular reduction calls before any Fr equality checks in contract logic
# Update soroban-sdk in Cargo.toml to patched version
# For 22.x branch:
cargo update -p soroban-sdk --precise 22.0.11
# For 23.x branch:
cargo update -p soroban-sdk --precise 23.5.3
# For 25.x branch:
cargo update -p soroban-sdk --precise 25.3.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
