Skip to main content

UltraDAG CVE-2026-40583

| EUVDEUVD-2026-24179 HIGH
Improper Cleanup on Thrown Exception (CWE-460)
2026-04-21 security-advisories@github.com
8.8
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
Apr 21, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 17:36 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:22 euvd
EUVD-2026-24179
Analysis Generated
Apr 21, 2026 - 17:22 vuln.today
CVE Published
Apr 21, 2026 - 17:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred.

AnalysisAI

State corruption in UltraDAG 0.1 allows remote unauthenticated attackers to bypass authorization controls and manipulate blockchain state integrity through malformed SmartOp::Vote transactions. The vulnerability enables attackers to trigger state mutations before authorization checks complete, causing high availability impact and low integrity impact to the blockchain. No active exploitation or public POC has been identified, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial remote exploitation against default configurations. Upstream fixes are available via GitHub commits but no tagged release version has been confirmed.

Technical ContextAI

UltraDAG implements a minimal DAG-BFT (Directed Acyclic Graph Byzantine Fault Tolerant) consensus blockchain in Rust. The vulnerability stems from CWE-460 (Improper Cleanup on Thrown Exception), where the transaction processing pipeline performs state mutations before completing all authorization checks. Specifically, when processing SmartOp::Vote transactions, the system validates cryptographic signatures, nonces, and account balances as preconditions, but defers council membership authorization until after state changes have been committed. This violates the principle of fail-secure defaults in transaction processing. In blockchain contexts, such ordering failures can lead to consensus divergence, state inconsistencies across nodes, and potential double-spend scenarios. The DAG-BFT architecture makes this particularly critical as state mutations can propagate through the graph structure before being invalidated.

RemediationAI

Apply upstream fixes by upgrading to a UltraDAG version containing commits 2f5a3a237ea519b48d71e6e3093c89f60694c7be and 45bcf7064741897319b6196d3d9f9e1307093511, available from https://github.com/UltraDAGcom/core. Consult the vendor advisory at https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp for release guidance. If immediate patching is not feasible, implement compensating controls by restricting network access to UltraDAG nodes using firewall rules permitting only trusted validator IP addresses (trade-off: reduces network decentralization and may impact consensus participation). Additionally, enable transaction validation logging to detect anomalous SmartOp::Vote submissions from non-council addresses, though this provides detection only and does not prevent state mutation. For production blockchain networks, consider temporarily halting new transaction acceptance until patching is complete to prevent consensus corruption, with the trade-off of service unavailability but preserved state integrity. Validate the integrity of existing blockchain state by comparing node databases before resuming operations.

Share

CVE-2026-40583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy