{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24783", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-26T21:06:47.869Z", "datePublished": "2026-01-27T22:04:18.006Z", "dateUpdated": "2026-01-28T21:09:12.428Z"}, "containers": {"cna": {"title": "soroban-fixed-point-math has Incorrect Rounding and Overflow Handling in Signed Fixed-Point Math with Negatives", "problemTypes": [{"descriptions": [{"cweId": "CWE-682", "lang": "en", "description": "CWE-682: Incorrect Calculation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65"}, {"name": "https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a", "tags": ["x_refsource_MISC"], "url": "https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a"}, {"name": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1"}, {"name": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1"}], "affected": [{"vendor": "script3", "product": "soroban-fixed-point-math", "versions": [{"version": "= 1.4.0", "status": "affected"}, {"version": "= 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T22:04:18.006Z"}, "descriptions": [{"lang": "en", "value": "soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available."}], "source": {"advisory": "GHSA-x5m4-43jf-hh65", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T21:08:58.618891Z", "id": "CVE-2026-24783", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:09:12.428Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24783", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T21:08:58.618891Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T21:09:08.630Z"}}], "cna": {"title": "soroban-fixed-point-math has Incorrect Rounding and Overflow Handling in Signed Fixed-Point Math with Negatives", "source": {"advisory": "GHSA-x5m4-43jf-hh65", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "script3", "product": "soroban-fixed-point-math", "versions": [{"status": "affected", "version": "= 1.4.0"}, {"status": "affected", "version": "= 1.3.0"}]}], "references": [{"url": "https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65", "name": "https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a", "name": "https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1", "name": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1", "name": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-682", "description": "CWE-682: Incorrect Calculation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-27T22:04:18.006Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24783", "state": "PUBLISHED", "dateUpdated": "2026-01-28T21:09:12.428Z", "dateReserved": "2026-01-26T21:06:47.869Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-27T22:04:18.006Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:script3:soroban-fixed-point-math:1.3.0:*:*:*:*:rust:*:*", "matchCriteriaId": "BFBA3A8B-B607-418C-86A3-15AFD0F3A903", "vulnerable": true}, {"criteria": "cpe:2.3:a:script3:soroban-fixed-point-math:1.4.0:*:*:*:*:rust:*:*", "matchCriteriaId": "48B58A8B-A909-4A41-B0F3-0E9CD0824255", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available."}], "id": "CVE-2026-24783", "lastModified": "2026-03-02T21:16:22.370", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-27T22:15:57.433", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:44:55.840952+00:00", "value": {"mitigation_remediation": ["Upgrade to soroban\u2011fixed\u2011point\u2011math version 1.3.1 or newer (or 1.4.1 or newer) to apply the official patch", "Add unit tests that exercise mulDiv, fixed_div_floor, and fixed_div_ceil with combinations of negative operands to detect rounding and overflow errors", "Implement runtime validation to check the signs of the intermediate product and the divisor before performing division, and apply correct rounding logic as defined for signed fixed\u2011point arithmetic"], "summary": {"action": "Apply patch", "impact": "Incorrect arithmetic in signed fixed\u2011point math leading to erroneous calculation results"}, "threat_synthesis": {"affected_systems": "The issue exists in script3\u2019s soroban-fixed-point-math library versions 1.3.0 and 1.4.0, affecting all signed FixedPoint and SorobanFixedPoint types (i64, i128, I256). Updated releases 1.3.1 and 1.4.1 contain the patch and resolve the problem. Any deployment that references the unpatched versions is vulnerable.", "description_and_impact": "The vulnerability is a flaw in the mulDiv function of a fixed\u2011point math library used by Soroban smart contracts. When both the intermediate product (x\u00a0*\u00a0y) and the divisor (z) are negative, the code incorrectly assumes the final result must be negative and applies rounding in the wrong direction. This causes the fixed_div_floor and fixed_div_ceil functions, which often use dynamic divisors, to produce inaccurate results for negative operands. The bug could lead to financial miscalculation or consensus errors in affected contracts, and its CVSS score of 7.5 reflects a high impact on correctness and potential for financial loss.", "risk_and_exploitability": "With a CVSS score of 7.5, the vulnerability poses a significant correctness risk, but the EPSS score is below 1%, indicating a low probability of exploitation. The bug is not listed in the CISA KEV catalog. An attacker would need to craft a contract that uses the affected division functions with negative operands to influence calculation results. While no remote code execution or denial\u2011of\u2011service effect is possible, the improper rounding could be exploited for financial manipulation or to trigger consensus faults in the network. The attack vector is likely through contract interaction rather than external access, making active exploitation difficult but not impossible in a malicious or buggy context."}}}}, "created": "2026-01-28T12:22:28.052448+00:00", "updated": "2026-04-18T18:45:05.762959+00:00", "vendors": ["script3", "script3$PRODUCT$soroban-fixed-point-math"]}