How to fix CVE-2025-70954?

Within 24 hours: Inventory all TON Blockchain infrastructure and identify systems running versions before v2025.06; assess exposure to untrusted transaction sources. Within 7 days: Implement network segmentation to restrict INMSGPARAM instruction processing from untrusted networks; enable enhanced monitoring and alerting for TVM crashes or anomalous behavior. Within 30 days: Establish communication with TON development team regarding patch timeline; evaluate migration plans to patched versions once available; conduct penetration testing on affected systems.

Is Null Pointer Dereference affected by CVE-2025-70954?

CVE-2025-70954 is a critical vulnerability affecting TON Blockchain systems that could allow attackers to crash nodes or potentially execute unauthorized operations through a null pointer dereference in the TVM.

CVE-2025-70954

HIGH

2026-02-13 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 13, 2026 - 22:16 nvd

HIGH 7.5

Description

A Null Pointer Dereference vulnerability exists in the TON Virtual Machine (TVM) within the TON Blockchain before v2025.06. The issue is located in the execution logic of the INMSGPARAM instruction, where the program fails to validate if a specific pointer is null before accessing it. By sending a malicious transaction or smart contract, an attacker can trigger this null pointer dereference, causing the validator node process to crash (segmentation fault). This results in a Denial of Service (DoS) affecting the availability of the entire blockchain network.

Analysis

Technical Context

Classified as CWE-476 (NULL Pointer Dereference). A Null Pointer Dereference vulnerability exists in the TON Virtual Machine (TVM) within the TON Blockchain before v2025.06. The issue is located in the execution logic of the INMSGPARAM instruction, where the program fails to validate if a specific pointer is null before accessing it. By sending a malicious transaction or smart contract, an attacker can trigger this null pointer dereference, causing the validator node process to crash (segmentation fault). This results in a Denial of Service (Do

Affected Products

Component: a Denial of.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-70954 vulnerability details – vuln.today

Back

CVE-2025-70954

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-70954

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code