CVE-2026-24783

Name of the Vulnerable Software and Affected Versions soroban-fixed-point-math versions 1.3.0 through 1.4.0

Description The mulDiv(x, y, z) function in soroban-fixed-point-math incorrectly handles cases where both the intermediate product x * y and the divisor z are negative. The logic incorrectly assumes that if the intermediate product is negative, the final result must also be negative, neglecting the sign of z. This results in rounding being applied in the wrong direction when both x * y and z are negative. This issue affects all signed FixedPoint and SorobanFixedPoint implementations, including i64, i128, and I256. For the i64 implementation, a negative overflow can occur because the code does not check against i64::MIN. The functions most at risk are fixed div floor and fixed div ceil, as they often use non-constant numbers as the divisor z in mulDiv.

Recommendations Versions 1.3.0 should be upgraded to version 1.3.1. Versions 1.4.0 should be upgraded to version 1.4.1.