Arithmetic Overflow in Soroban SDK Affects Stellar Contracts
CVE-2026-24889
What is CVE-2026-24889?
The soroban-sdk is vulnerable to arithmetic overflow in its Bytes::slice, Vec::slice, and Prng::gen_range methods. When developers pass user-controlled or computed range bounds to these methods, it can lead to silent failures, operating on incorrect data ranges or generating unintended random numbers—thereby compromising the integrity of smart contracts. It's essential for developers to enable overflow-checks = true to mitigate these risks. The best practices outlined in the stellar contract init tool and documentation support the configuration of overflow checks, ensuring failures are caught rather than allowing wrapping. Affected versions of the SDK have been patched to replace bare arithmetic operations with checked versions, preventing overflow irrespective of the configuration settings used. For additional security, developers are advised to validate range bounds before passing them to vulnerable methods.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
rs-soroban-sdk < 22.0.9 < 22.0.9
rs-soroban-sdk >= 23.0.0, < 23.5.1 < 23.0.0, 23.5.1
rs-soroban-sdk >= 25.0.0, < 25.0.2 < 25.0.0, 25.0.2
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved