CVE-2026-24889 [Medium] | Integer Overflow in Rs-Soroban-Sdk

soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-29	—	0.01%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-29

—

0.01%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.3	3.1	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:N) Service keeps running; no real outage angle.	3.9	1.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

5.3

3.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N): Service keeps running; no real outage angle.

3.9

1.4

[email protected]

Affected software / configurations for CVE-2026-24889

Vendor	Product	Version	Raw CPE
stellar	rs-soroban-sdk	< 22.0.9	cpe:2.3:a:stellar:rs-soroban-sdk::::::rust::*
stellar	rs-soroban-sdk	>= 23.0.0, < 23.5.1	cpe:2.3:a:stellar:rs-soroban-sdk::::::rust::*
stellar	rs-soroban-sdk	>= 25.0.0, < 25.0.2	cpe:2.3:a:stellar:rs-soroban-sdk::::::rust::*

References for CVE-2026-24889

URL	Tags
https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38	Patch
https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e	Patch
https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462	Patch
https://github.com/stellar/rs-soroban-sdk/pull/1703	Issue Tracking Patch
https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9	Product Release Notes
https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1	Product Release Notes
https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2	Product Release Notes
https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f	Mitigation Vendor Advisory Patch

URL

CVE-2026-24889 | soroban-sdk has overflow in Bytes::slice, Vec::slice, GenRange::gen_range for u64

Exploit prediction scoring system (EPSS) score for CVE-2026-24889

Common vulnerability scoring system (CVSS) metrics for CVE-2026-24889

Weakness enumeration for CVE-2026-24889

GitHub Security Advisory for CVE-2026-24889

Affected software / configurations for CVE-2026-24889

References for CVE-2026-24889