CVE-2026-24889

Name of the Vulnerable Software and Affected Versions soroban-sdk versions 22.0.9 through 25.0.1 soroban-sdk version 23.5.1 soroban-sdk version 25.0.2

Description The soroban-sdk contains an arithmetic overflow issue in the Bytes::slice, Vec::slice, and Prng::gen range (for u64) methods. When compiled with overflow-checks = false, these functions can silently wrap on boundary values, leading to incorrect data ranges or unintended random number generation, potentially corrupting contract state. The issue occurs when user-controlled or computed range bounds are passed to these methods. The best practice is to enable overflow-checks = true during contract development, which is encouraged by the stellar contract init tool. The fix replaces bare arithmetic with checked add and checked sub, ensuring overflow traps regardless of the overflow-checks profile setting.

Recommendations soroban-sdk versions 22.0.9 through 25.0.1: Configure contract workspaces with a profile to enable overflow checks, setting overflow-checks = true. soroban-sdk version 23.5.1: Configure contract workspaces with a profile to enable overflow checks, setting overflow-checks = true. soroban-sdk version 25.0.2: Configure contract workspaces with a profile to enable overflow checks, setting overflow-checks = true. Alternatively, validate range bounds before passing them to slice or gen range to prevent overflows. Do not pass Bound::Excluded(u32::MAX) or Bound::Included(u32::MAX) to Bytes::slice or Vec::slice. Do not pass Bound::Excluded(u64::MAX) as a start bound or Bound::Excluded(0) as an end bound to Prng::gen range::<u64>.