Integer overflow in Stellar Rs-soroban-sdk
CVE-2026-24889
soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, a…
Vulnerability class: Integer Overflow
EPSS: 0.000 (6.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
- Stellar Rs-soroban-sdk — versions < 22.0.9, >= 23.0.0, < 23.5.1, >= 25.0.0, < 25.0.2
Weakness classification (CWE)
References
- https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f (x_refsource_CONFIRM)
- https://github.com/stellar/rs-soroban-sdk/pull/1703 (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38 (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462 (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9 (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1 (x_refsource_MISC)
- https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2026-24889?
- CVE-2026-24889 is a medium-severity vulnerability in Stellar Rs-soroban-sdk, classified under Integer Overflow or Wraparound. CVSS score: 5.3/10. Published 2026-01-28.
- How severe is CVE-2026-24889?
- Medium severity. CVSS v3 base score is 5.3 out of 10.