{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40583", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.475Z", "datePublished": "2026-04-21T16:57:42.100Z", "dateUpdated": "2026-04-21T20:37:16.729Z"}, "containers": {"cna": {"title": "UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant Halt", "problemTypes": [{"descriptions": [{"cweId": "CWE-460", "lang": "en", "description": "CWE-460: Improper Cleanup on Thrown Exception", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-696", "lang": "en", "description": "CWE-696: Incorrect Behavior Order", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/U:Red", "version": "4.0"}}], "references": [{"name": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp"}, {"name": "https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be", "tags": ["x_refsource_MISC"], "url": "https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be"}, {"name": "https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511", "tags": ["x_refsource_MISC"], "url": "https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511"}], "affected": [{"vendor": "UltraDAGcom", "product": "core", "versions": [{"version": "= 0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:57:42.100Z"}, "descriptions": [{"lang": "en", "value": "UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred."}], "source": {"advisory": "GHSA-q8wx-2crx-c7pp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:09:12.285156Z", "id": "CVE-2026-40583", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:16.729Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40583", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:09:12.285156Z"}}}], "references": [{"url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:09:23.108Z"}}], "cna": {"title": "UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant Halt", "source": {"advisory": "GHSA-q8wx-2crx-c7pp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/U:Red", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "UltraDAGcom", "product": "core", "versions": [{"status": "affected", "version": "= 0.1"}]}], "references": [{"url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp", "name": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be", "name": "https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511", "name": "https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-460", "description": "CWE-460: Improper Cleanup on Thrown Exception"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-696", "description": "CWE-696: Incorrect Behavior Order"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:57:42.100Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40583", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:16.729Z", "dateReserved": "2026-04-14T13:24:29.475Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:57:42.100Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ultradag:ultradag:0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "52EB5FF9-89C8-463E-AFF6-97F273F25877", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred."}], "id": "CVE-2026-40583", "lastModified": "2026-04-27T15:23:05.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "RED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:56.083", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-460"}, {"lang": "en", "value": "CWE-696"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "UltraDAGcom"}, "product": "core", "vendor": "ultradagcom"}], "analysis": {"en": {"generated_at": "2026-04-21T22:36:10.584503+00:00", "value": {"mitigation_remediation": ["Deploy the patched version of UltraDAGcore once it is released by the vendor.", "If a patch is not yet available, reconfigure the node to reject or revert any SmartOp::Vote transaction originating from non\u2011council members before applying state changes, effectively restoring the original pre\u2011check order.", "Implement monitoring and alerting to detect anomalous state mutations or node halts and notify the operations team for rapid response."], "summary": {"action": "Immediate Patch", "impact": "Supply invariant violation causing a system halt (availability disruption)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects UltraDAGcom\u2019s core implementation, specifically version 0.1 as disclosed by the vendor. No other versions or products are listed as impacted in the CNA data.", "description_and_impact": "An attacker who is not a council member can forge a SmartOp::Vote transaction that satisfies signature verification, nonce and balance checks but is not authorized until after the state has already been mutated. This ordering flaw allows the transaction to change the blockchain state before the authorization check, corrupting a critical supply invariant and triggering a fatal halt in the network. The vulnerability manifests as an authorization weakness (CWE\u2011696), coupled with an unchecked state mutation that can lead to denial of service. It does not directly expose confidential data, but the resulting halt disrupts the availability and integrity of the network, potentially causing loss of funds and service.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score is not provided, but the lack of any restriction on who can submit signed SmartOp::Vote transactions implies a low barrier to exploitation. The vulnerability is not listed in CISA\u2019s KEV, suggesting no known widespread exploitation at this time. Attackers only need the ability to sign a transaction with a non\u2011council key, which is reportedly doable under the existing rules. Consequently, this flaw is likely to be exploited in environments that run the unpatched UltraDAGcore 0.1 network."}}}}, "created": "2026-04-21T22:45:16.052208+00:00", "updated": "2026-04-22T11:46:07.603774+00:00", "vendors": ["ultradagcom", "ultradagcom$PRODUCT$core"]}