Skip to main content

Github CVE-2026-24889

MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-01-28 security-advisories@github.com GHSA-96xm-fv9w-pf3f
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Mar 02, 2026 - 18:28 nvd
Patch available
CVE Published
Jan 28, 2026 - 22:15 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the Bytes::slice, Vec::slice, and Prng::gen_range (for u64) methods in the soroban-sdk in versions up to and including 25.0.1, 23.5.1, and 25.0.2. Contracts that pass user-controlled or computed range bounds to Bytes::slice, Vec::slice, or Prng::gen_range may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the soroban-sdk and building Soroban contracts is to always enable overflow-checks = true. The stellar contract init tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring overflow-checks = true on release profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use overflow-checks = false either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable overflow-checks. The fix available in 25.0.1, 23.5.1, and 25.0.2 replaces bare arithmetic with checked_add / checked_sub, ensuring overflow traps regardless of the overflow-checks profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using stellar contract init. Alternatively, contracts can validate range bounds before passing them to slice or gen_range to ensure the conversions cannot overflow.

AnalysisAI

Arithmetic overflow in Soroban SDK versions up to 25.0.2 allows contracts using user-controlled range bounds in Bytes::slice, Vec::slice, or Prng::gen_range methods to operate on incorrect data ranges or generate unintended random numbers, potentially corrupting contract state. Developers who do not enable overflow-checks in their Rust configuration are vulnerable to this silent data corruption. A patch is available and should be applied immediately to affected Soroban contracts.

Technical ContextAI

Classified as CWE-190 (Integer Overflow or Wraparound). Affects Rs-Soroban-Sdk. soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the Bytes::slice, Vec::slice, and Prng::gen_range (for u64) methods in the soroban-sdk in versions up to and including 25.0.1, 23.5.1, and 25.0.2. Contracts that pass user-controlled or computed range bounds to Bytes::slice, Vec::slice, or Prng::gen_range may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Github

View all
CVE-2026-1699 CRITICAL POC
10.0 Jan 30

Supply chain vulnerability in Eclipse Theia GitHub Actions workflow. The preview.yml workflow uses pull_request_target w

CVE-2026-27941 CRITICAL POC
9.9 Feb 26

Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables ma

CVE-2026-22869 CRITICAL POC
9.8 Jan 13

Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling a

CVE-2026-28215 CRITICAL POC
9.1 Feb 26

Unauthenticated infrastructure overwrite in Hoppscotch API development ecosystem before 2026.2.0. Attackers can overwrit

CVE-2018-1000600 HIGH POC
8.8 Jun 26

A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCrede

CVE-2026-30920 HIGH POC
8.6 Mar 10

OneUptime versions prior to 10.0.19 allow unauthenticated attackers to hijack GitHub App integrations across projects by

CVE-2026-25221 HIGH POC
8.1 Feb 02

PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enab

CVE-2026-23644 HIGH POC
7.5 Jan 18

Path traversal in esm.sh CDN prior to version 0.0.0-20260116051925-c62ab83c589e allows unauthenticated remote attackers

CVE-2025-68619 HIGH POC
7.2 Jan 01

Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore i

CVE-2026-27943 MEDIUM POC
6.5 Feb 26

Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients

CVE-2026-23889 MEDIUM POC
6.5 Jan 26

Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package dire

CVE-2026-27612 MEDIUM POC
6.1 Feb 25

Reflected XSS in Repostat's RepoCard React component prior to version 1.0.1 allows attackers to execute arbitrary JavaSc

Share

CVE-2026-24889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy