CVE-2025-70956

Name of the Vulnerable Software and Affected Versions TON Virtual Machine (TVM) versions prior to 2025.04

Description A state pollution issue exists in the TON Virtual Machine (TVM) due to non-atomic resource handling within the RUNVM instruction logic, specifically in the VmState::run child vm function. This function initializes child virtual machines by moving resources, including libraries and logs, from the parent state to the child state. If an Out-of-Gas (OOG) exception occurs during this process, after resources have been moved but before the state transition is complete, the parent VM can be left in a corrupted state. The parent VM continues execution with this corrupted state, potentially leading to unexpected behavior or denial of service within the contract's context.

Recommendations Update to version 2025.04 or later.