CVE-2026-24889
📋 TL;DR
This vulnerability in soroban-sdk allows arithmetic overflow in slice and random number generation methods, potentially causing contracts to operate on incorrect data ranges or generate unintended random numbers. Only contracts using overflow-checks=false are affected, which is discouraged by best practices. The issue can lead to corrupted contract state if user-controlled bounds are passed to vulnerable methods.
💻 Affected Systems
- soroban-sdk
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Contract state corruption leading to financial loss or unauthorized operations in smart contracts, particularly if used for critical financial applications on the Stellar network.
Likely Case
Incorrect contract behavior or data corruption in contracts that disabled overflow checks, potentially causing transaction failures or unexpected results.
If Mitigated
Minimal impact as overflow would trap and fail transactions rather than silently corrupt data, following recommended best practices.
🎯 Exploit Status
Exploitation requires passing user-controlled or computed range bounds to vulnerable methods in contracts with overflow-checks disabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commits 3890521, 59fcef4, c2757c6 and releases after v22.0.9
Vendor Advisory: https://github.com/stellar/rs-soroban-sdk/security/advisories
Restart Required: No
Instructions:
1. Update soroban-sdk dependency to patched version. 2. Rebuild and redeploy affected contracts. 3. Ensure overflow-checks=true in Cargo.toml release profiles.
🔧 Temporary Workarounds
Enable overflow checks in Cargo.toml
allConfigure overflow-checks=true in release profile to make arithmetic overflow trap rather than wrap silently
Add to Cargo.toml: [profile.release]
overflow-checks = true
Validate range bounds before use
allManually validate that slice bounds and range parameters cannot cause arithmetic overflow
🧯 If You Can't Patch
- Enable overflow-checks=true in all contract build profiles
- Implement manual bounds validation before calling slice() or gen_range() methods
🔍 How to Verify
Check if Vulnerable:
Check if contract uses soroban-sdk ≤25.0.1, ≤23.5.1, or ≤25.0.2 AND has overflow-checks=false in Cargo.tomlCheck Version:
grep soroban-sdk Cargo.toml && grep overflow-checks Cargo.tomlVerify Fix Applied:
Verify soroban-sdk version is updated and overflow-checks=true is configured in release profile📡 Detection & Monitoring
Log Indicators:
- Contract transaction failures due to arithmetic overflow traps
- Unexpected contract state changes
Network Indicators:
- Failed Soroban contract transactions with overflow errors
SIEM Query:
Not applicable - contract-level issue🔗 References
- https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38
- https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e
- https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462
- https://github.com/stellar/rs-soroban-sdk/pull/1703
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2
- https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f
