CVE-2026-32322

MEDIUM EPSS 19.6%
Published Mar 13, 20263mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Mar 13, 2026 3mo ago
Last Modified Jun 17, 2026 2w ago

Description

soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., >= r). The vulnerability requires an attacker to supply crafted Fr values through contract inputs, and compare them directly without going through host-side arithmetic operations. Smart contracts that rely on Fr equality checks for security-critical logic could produce incorrect results. The impact depends on how the affected contract uses Fr equality comparisons, but can result in incorrect authorization decisions or validation bypasses in contracts that perform equality checks on user-supplied scalar values. This vulnerability is fixed in 22.0.11, 23.5.3, and 25.3.0.

CVSS Details

Base Score
5.3
Exploitability
3.9
Impact
1.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
19.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-697

Affected Products 3

VendorProductVersionRange
stellarrs-soroban-sdk* <22.0.11
stellarrs-soroban-sdk*≥23.0.0  –  <23.5.3
stellarrs-soroban-sdk*≥25.0.0  –  <25.3.0

References 1

  • github.com https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-x2hw-px52-wp4m
    MitigationPatchVendor Advisory

Remediation

  • github.com https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-x2hw-px52-wp4m
    MitigationPatchVendor Advisory