Description
soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow.
Published: 2026-01-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Contract State Corruption
Action: Patch SDK
AI Analysis

Impact

Arithmetic overflow occurs in soroban-sdk's Bytes::slice, Vec::slice, and Prng::gen_range (u64) methods for versions up to 25.0.1, 23.5.1, and 25.0.2. The overflow can be triggered when user‑controlled or computed range bounds are passed, causing the library to use incorrect data ranges or generate random numbers from an unintended range. In Rust releases that compile without overflow checks, the overflow silently wraps, potentially corrupting contract state. This weakness is identified as integer overflow (CWE‑190) and can lead to data corruption or unintended behavior within Soroban contracts.

Affected Systems

Affected systems are those built on Stellar's rs‑soroban‑sdk library. The vulnerability exists in SDK releases up to and including 25.0.1, 23.5.1, and 25.0.2. Contracts or tools that depend on those specific versions are at risk unless they have been upgraded or otherwise mitigated. The latest published releases (for example 25.0.2 and 23.5.1) contain a patch that replaces bare arithmetic with checked operations to trap overflows regardless of the overflow‑checks setting.

Risk and Exploitability

CVSS score of 5.3 indicates a medium‑level severity, and the EPSS score is below 1 %, suggesting low probability of exploitation. The vulnerability is not listed as a known exploited vulnerability by CISA. The attack vector depends on whether the contract author compiles with `overflow-checks = false`; an attacker that can influence the range bounds passed to the vulnerable methods could cause silent data or state manipulation, but success requires code‑level control or a malicious contract author. Enabling `overflow-checks = true` or using the latest patched SDK mitigates the risk by forcing panics or corrected arithmetic. Therefore, the overall risk to existing contracts is moderate, with the main concern being potential state corruption if unchecked arithmetic is used.

Generated by OpenCVE AI on April 18, 2026 at 01:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade affected rs‑soroban‑sdk components to a fixed release such as v25.0.2, v23.5.1, or v25.0.1
  • Enable the Rust compiler flag `overflow-checks = true` in the release profile used to build contracts so that the arithmetic operations trap on overflow
  • Validate or constrain range bounds before calling `slice` or `gen_range` to prevent values that could overflow

Generated by OpenCVE AI on April 18, 2026 at 01:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96xm-fv9w-pf3f soroban-sdk has overflow in Bytes::slice, Vec::slice, GenRange::gen_range for u64
History

Mon, 02 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:stellar:rs-soroban-sdk:*:*:*:*:*:rust:*:*

Thu, 29 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Stellar
Stellar rs-soroban-sdk
Vendors & Products Stellar
Stellar rs-soroban-sdk

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow.
Title soroban-sdk has overflow in Bytes::slice, Vec::slice, GenRange::gen_range for u64
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Stellar Rs-soroban-sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T18:00:47.472Z

Reserved: 2026-01-27T19:35:20.528Z

Link: CVE-2026-24889

cve-icon Vulnrichment

Updated: 2026-01-29T16:01:49.029Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T22:15:56.700

Modified: 2026-03-02T18:28:26.323

Link: CVE-2026-24889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses