Cyber Resilience

CVE-2025-26622

Low

Published: 21 February 2025

Published
21 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 47.6th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26622 is a low-severity Incorrect Calculation (CWE-682) vulnerability in Vyperlang Vyper. Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-26622 affects Vyper, a Pythonic smart contract language for the Ethereum Virtual Machine (EVM). The vulnerability resides in the `sqrt()` builtin function, which employs the Babylonian method to compute square roots of decimals. Due to improper handling of oscillating final states, the function may incorrectly return rounded-up results, potentially leading to precise calculation errors in compiled smart contracts.

Attackers with network access can exploit this vulnerability remotely with low complexity, requiring no privileges, no user interaction, and without changing the scope of impact. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) reflects high integrity impact, enabling manipulation of square root computations in affected smart contracts deployed on EVM-compatible blockchains. This could result in financial discrepancies or flawed logic in decentralized applications relying on accurate decimal square root calculations.

The Vyper security advisory and associated pull request indicate that the issue is being addressed, with a fix expected in version 0.4.1. Users are advised to upgrade to the patched release as soon as it becomes available, as no workarounds are known. Relevant resources include the GitHub security advisory at GHSA-2p94-8669-xg86 and pull request #4486.

EU & UK References

Vulnerability details

vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results.…

more

This issue is being addressed and a fix is expected in version 0.4.1. Users are advised to upgrade as soon as the patched release is available. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.003 Runtime Data Manipulation Impact
Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.
Why these techniques?

Vulnerability in public-facing EVM smart contracts enables remote exploitation (T1190) resulting in incorrect runtime computation results (T1565.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27104Same product: Vyperlang Vyper
CVE-2025-27105Same product: Vyperlang Vyper
CVE-2025-21607Same product: Vyperlang Vyper
CVE-2026-44498Shared CWE-682
CVE-2026-1229Shared CWE-682
CVE-2026-24783Shared CWE-682
CVE-2026-33487Shared CWE-682
CVE-2026-28410Shared CWE-682
CVE-2026-0810Shared CWE-682
CVE-2026-25634Shared CWE-682

Affected Assets

vyperlang
vyper
≤ 0.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like the incorrect sqrt computation in Vyper by upgrading to the patched version 0.4.1.

detect

Vulnerability monitoring and scanning detects the presence of CVE-2025-26622 in Vyper compiler instances used for EVM smart contract development.

detect

Receiving and disseminating security advisories like the Vyper GHSA enables early awareness of this sqrt calculation vulnerability for prompt remediation.

References