When Math Lies: Integer Wraparounds in Stellar's Soroban SDK
Vulnerability ID: CVE-2026-24889
CVSS Score: 5.3
Published: 2026-01-28
A critical integer overflow vulnerability in the Rust soroban-sdk allows smart contracts to silently process incorrect data ranges or generate wild random numbers. By exploiting standard arithmetic wrapping behaviors in Rust's release mode, attackers can force contracts to slice empty buffers instead of full datasets, or bypass PRNG bounds, leading to severe logic corruption without triggering a transaction revert.
TL;DR
The Soroban SDK used bare arithmetic to calculate slice indices. In Rust release builds (default for many), u32::MAX + 1 wraps to 0. This turns a request for 'all data' into a request for 'no data' silently. It affects data slicing and random number generation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-190
- Attack Vector: Network
- CVSS: 5.3 (Medium)
- Impact: Integrity Loss / Logic Bypass
- Exploit Status: PoC Available (Implicit)
- Language: Rust / Wasm
Affected Systems
- Stellar Soroban Smart Contracts
- Rust applications using rs-soroban-sdk
-
rs-soroban-sdk: < 22.0.9 (Fixed in:
22.0.9) -
rs-soroban-sdk: >= 23.0.0, < 23.5.1 (Fixed in:
23.5.1) -
rs-soroban-sdk: >= 25.0.0, < 25.0.2 (Fixed in:
25.0.2)
Mitigation Strategies
- Force panic on arithmetic overflow using
checked_*methods. - Enable global overflow checks in Rust release profiles.
- Validate user inputs for RangeBounds to ensure they are within logical limits.
Remediation Steps:
- Update
rs-soroban-sdkto version22.0.9,23.5.1, or25.0.2. - Modify
Cargo.tomlto setoverflow-checks = truein the[profile.release]section. - Audit contract logic for any manual arithmetic on indices or bounds.
References
Read the full report for CVE-2026-24889 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)