How to fix CVE-2025-70955?

Within 24 hours: Inventory all systems running TVM versions prior to v2024.10 and assess whether they process untrusted smart contracts or external transactions. Within 7 days: Implement network segmentation to isolate affected TVM nodes and establish monitoring for abnormal stack behavior or service crashes. Within 30 days: Develop and test an upgrade plan to TVM v2024.10 or later, coordinate with TON foundation for patch availability confirmation, and document all mitigations applied.

Is Stack Overflow affected by CVE-2025-70955?

CVE-2025-70955 is a stack overflow vulnerability in TON Virtual Machine that could allow attackers to crash services or potentially execute code through malicious smart contracts or transactions.

CVE-2025-70955

HIGH

2026-02-13 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 13, 2026 - 22:16 nvd

HIGH 7.5

Description

A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.

Analysis

Technical Context

Classified as CWE-674 (Uncontrolled Recursion). A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Servic

Affected Products

Component: a Denial of.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-70955 vulnerability details – vuln.today

Back

CVE-2025-70955

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-70955

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code