DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-429Q-FHH4-R6HJ: GHSA-429Q-FHH4-R6HJ: Account Substitution via Discriminator Bypass in Anchor InterfaceAccount

#security #cve #cybersecurity #ghsa

GHSA-429Q-FHH4-R6HJ: Account Substitution via Discriminator Bypass in Anchor InterfaceAccount

Vulnerability ID: GHSA-429Q-FHH4-R6HJ
CVSS Score: 9.1
Published: 2026-05-13

A critical vulnerability in the Anchor framework's anchor-lang crate allows account substitution attacks. The InterfaceAccount type fails to validate the 8-byte account discriminator during deserialization, permitting an attacker to supply a mismatched account type and subvert program logic.

TL;DR

Anchor versions prior to 1.0.0 skip structural discriminator checks for the InterfaceAccount type, allowing attackers to supply improperly typed accounts that bypass framework-level validation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-20
  • Attack Vector: Network
  • Vulnerability Class: Account Substitution / Type Confusion
  • Exploit Status: Proof-of-Concept Available
  • CVSS v3.1 Score: 9.1
  • Patch Version: 1.0.0

Affected Systems

  • Anchor Framework
  • Solana Smart Contracts utilizing anchor-lang < 1.0.0
  • Applications implementing InterfaceAccount
  • anchor-lang: < 1.0.0 (Fixed in: 1.0.0)

Code Analysis

Commit: 26ef369

Fix discriminator bypass in InterfaceAccount by enforcing T::try_deserialize

Exploit Details

  • GitHub: Proof of Concept test in the official fix commit

Mitigation Strategies

  • Upgrade anchor-lang dependency to version 1.0.0 or later.
  • Audit all usages of InterfaceAccount across the program.
  • Ensure all account types have an explicit discriminator defined.
  • Remove usages of try_from_unchecked in production code.

Remediation Steps:

  1. Update the Cargo.toml file to reference anchor-lang version 1.0.0.
  2. Execute cargo build-sbf to recompile the Solana program.
  3. Deploy the updated program binary to the mainnet.
  4. Conduct a review to confirm no unchecked deserialization occurs on the critical path.

References

Read the full report for GHSA-429Q-FHH4-R6HJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)