CVE-2025-26622
Published: 21 February 2025
Summary
CVE-2025-26622 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Vyperlang Vyper. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws like the incorrect sqrt computation in Vyper by upgrading to the patched version 0.4.1.
Vulnerability monitoring and scanning detects the presence of CVE-2025-26622 in Vyper compiler instances used for EVM smart contract development.
Receiving and disseminating security advisories like the Vyper GHSA enables early awareness of this sqrt calculation vulnerability for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing EVM smart contracts enables remote exploitation (T1190) resulting in incorrect runtime computation results (T1565.003).
NVD Description
vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results.…
more
This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-26622 affects Vyper, a Pythonic smart contract language for the Ethereum Virtual Machine (EVM). The vulnerability resides in the `sqrt()` builtin function, which employs the Babylonian method to compute square roots of decimals. Due to improper handling of oscillating final states, the function may incorrectly return rounded-up results, potentially leading to precise calculation errors in compiled smart contracts.
Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges, no user interaction, and without changing the scope of impact. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects high integrity impact, enabling manipulation of square root computations in affected smart contracts deployed on EVM-compatible blockchains. This could result in financial discrepancies or flawed logic in decentralized applications relying on accurate decimal square root calculations.
The Vyper security advisory and associated pull request indicate that the issue is being addressed, with a fix expected in version 0.4.1. Users are advised to upgrade to the patched release as soon as it becomes available, as no workarounds are known. Relevant resources include the GitHub security advisory at GHSA-2p94-8669-xg86 and pull request #4486.
Details
- CWE(s)