Skip to main content

Soroban Fixed Point Math CVE-2026-24783

HIGH
Incorrect Calculation (CWE-682)
2026-01-27 security-advisories@github.com GHSA-x5m4-43jf-hh65
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 02, 2026 - 21:16 nvd
Patch available
CVE Published
Jan 27, 2026 - 22:15 nvd
HIGH 7.5

DescriptionGitHub Advisory

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the mulDiv(x, y, z) function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are fixed_div_floor and fixed_div_ceil, as they often use non-constant numbers as the divisor $z$ in mulDiv. This error is present in all signed FixedPoint and SorobanFixedPoint implementations, including i64, i128, and I256. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.

AnalysisAI

Incorrect rounding in the mulDiv() function of soroban-fixed-point-math versions 1.3.0 and 1.4.0 allows attackers to manipulate fixed-point arithmetic results in Soroban smart contracts by exploiting sign handling when both the intermediate product and divisor are negative. This affects all signed FixedPoint implementations (i64, i128, I256) and could enable financial miscalculations or loss of funds in dependent contracts. A patch is available in versions 1.3.1 and 1.4.1.

Technical ContextAI

Affects Soroban-Fixed-Point-Math. soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the mulDiv(x, y, z) function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Share

CVE-2026-24783 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy