CVE-2026-24889
Unknown Unknown - Not Provided
Arithmetic Overflow in soroban-sdk Slicing and Random Range Methods

Publication date: 2026-01-28

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-28
Last Modified
2026-03-02
Generated
2026-05-07
AI Q&A
2026-01-29
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24889
EUVD
EUVD-2026-4848
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
stellar rs-soroban-sdk to 22.0.9 (exc)
stellar rs-soroban-sdk From 23.0.0 (inc) to 23.5.1 (exc)
stellar rs-soroban-sdk From 25.0.0 (inc) to 25.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an arithmetic overflow issue in the soroban-sdk Rust SDK for Soroban contracts. It occurs in the Bytes::slice, Vec::slice, and Prng::gen_range methods when user-controlled or computed range bounds cause arithmetic operations to overflow silently if overflow-checks are disabled. This can lead to contracts operating on incorrect data ranges or generating random numbers from unintended ranges, potentially corrupting the contract state. The issue affects versions up to and including 25.0.1, 23.5.1, and 25.0.2, and is mitigated by enabling overflow-checks or using checked arithmetic methods.


How can this vulnerability impact me? :

If your Soroban contracts use the affected soroban-sdk versions and have overflow-checks disabled, this vulnerability can cause your contracts to operate on incorrect data ranges or generate random numbers from unintended ranges. This can silently corrupt the contract state, potentially leading to incorrect contract behavior or logic errors. However, if overflow-checks are enabled as recommended, the vulnerability is mitigated.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that Soroban contracts are built with overflow checks enabled by setting `overflow-checks = true` in the contract workspace profile, especially on release profiles. Use the `stellar contract init` tool to generate boilerplate code that includes this setting. Alternatively, validate range bounds before passing them to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` methods to prevent arithmetic overflow. Upgrading to fixed versions (25.0.1, 23.5.1, or 25.0.2) that replace bare arithmetic with checked operations is also recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart