Name of the Vulnerable Software and Affected Versions IBC-Go versions 7 and later

Description An issue was discovered in IBC-Go's deserialization of acknowledgements, resulting in non-deterministic behavior that can halt a chain. Any user who can open an IBC channel can introduce this state to the chain.

Recommendations For IBC-Go versions 7 and later, update to version 7.9.2 or 8.6.1 to address this issue. As a temporary workaround, consider permissioning Channel Opening to prevent this state from being introduced to a chain. If you depend on middlewares that serialize acknowledgement packets, update them to use ibc-go's codec: transfertypes.ModuleCdc.[Must]MarshalJSON to avoid failing transfers or a chain halt. For absolute clarity, chains with these ack-serializing middlewares must do coordinated upgrades.