Skip to main content

CVE-2026-32322

| EUVDEUVD-2026-11726 MEDIUM
Incorrect Comparison (CWE-697)
2026-03-13 security-advisories@github.com GHSA-x2hw-px52-wp4m
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 20:00 euvd
EUVD-2026-11726
Analysis Generated
Mar 13, 2026 - 20:00 vuln.today
CVE Published
Mar 13, 2026 - 19:54 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., >= r). The vulnerability requires an attacker to supply crafted Fr values through contract inputs, and compare them directly without going through host-side arithmetic operations. Smart contracts that rely on Fr equality checks for security-critical logic could produce incorrect results. The impact depends on how the affected contract uses Fr equality comparisons, but can result in incorrect authorization decisions or validation bypasses in contracts that perform equality checks on user-supplied scalar values. This vulnerability is fixed in 22.0.11, 23.5.3, and 25.3.0.

AnalysisAI

The soroban-sdk Rust SDK contains a cryptographic comparison vulnerability in Fr (scalar field) types for BN254 and BLS12-381 curves that fails to reduce unreduced field elements modulo the field modulus r before equality comparison. This allows attackers to supply crafted Fr values that are mathematically equal but compare as unequal when unreduced, potentially bypassing security-critical authorization or validation logic in smart contracts. The vulnerability affects versions prior to 22.0.11, 23.5.3, and 25.3.0; with a CVSS score of 5.3 (Medium), it poses moderate risk primarily to contract integrity rather than confidentiality.

Technical ContextAI

Soroban-sdk (CPE: cpe:2.3:a:stellar:soroban-sdk) is a Rust development kit for writing smart contracts on the Stellar Soroban platform. The vulnerability resides in the cryptographic field arithmetic implementation, specifically in how Fr (scalar field) types handle equality comparisons for elliptic curve cryptography on BN254 and BLS12-381 curves. The root cause is classified under CWE-697 (Incorrect Comparison), stemming from incomplete field reduction logic. In modular arithmetic, field elements should be canonicalized to a reduced form (values less than the field modulus r) before comparison; the vulnerable code performs U256 bitwise comparison on raw, potentially unreduced values. This violates the mathematical properties required for secure cryptographic operations and can cause identical field elements to fail equality checks if one or both values exceed the modulus.

RemediationAI

Upgrade soroban-sdk immediately to version 22.0.11, 23.5.3, or 25.3.0 or later, depending on your current branch. Review any smart contracts deployed or in development that perform equality comparisons on Fr types, particularly those used in authorization or validation logic, and test with updated SDK versions to confirm correct behavior. In the interim, if upgrading is blocked, apply defensive programming practices: avoid direct Fr equality comparisons on untrusted inputs; instead, perform arithmetic operations that naturally reduce values modulo r, or use constant-time comparison functions if available. Additionally, implement input validation and bounds-checking to reject unreduced field values before comparison. Consult the official Stellar soroban-sdk repository and security advisories for additional guidance.

Share

CVE-2026-32322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy