evm has incorrect is_static parameter for custom stateful precompiles
CVE-2022-39354

5.9MEDIUM

Key Information:

Vendor

Rust-blockchain

Status
Evm
Vendor
CVE Published:
25 October 2022

What is CVE-2022-39354?

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed is_static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses is_static. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

evm < 0.36.0

References

https://github.com/rust-blockchain/evm/security/advisorie...
https://github.com/rust-blockchain/evm/pull/133

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.