CVE-2025-70955
Published: 13 February 2026
Summary
CVE-2025-70955 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Qq (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-70955, published on 2026-02-13, is a stack overflow vulnerability in the TON Virtual Machine (TVM) prior to version v2024.10. The flaw stems from improper handling of vmstate and continuation jump instructions, which permit continuous dynamic tail calls. This allows a crafted smart contract with deeply nested jump logic to exhaust the host process's stack space, even within standard gas limits, ultimately crashing the validator node.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-674 (Uncontrolled Recursion). Remote, unauthenticated attackers can exploit it by deploying a malicious smart contract on the TON blockchain. Exploitation leads to a Denial of Service (DoS) by causing validator node crashes, disrupting network operations.
Mitigation requires upgrading to TVM v2024.10 or later, where the issue is addressed via a specific commit in the ton-blockchain/ton repository. Release notes for v2024.10 reference security fixes, including contributions related to this vulnerability. Further technical details and a proof-of-concept are available in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207525
Vulnerability details
A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by…
more
crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of a public-facing VM service (blockchain validator) via malicious input leading to resource exhaustion DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation by upgrading TVM to v2024.10 or later to fix the stack overflow from uncontrolled recursion in vmstate and jump instructions.
Implements denial-of-service protections to prevent validator node crashes from malicious smart contracts exploiting stack exhaustion within gas limits.
Protects system resources such as host process stack space from unauthorized depletion caused by deeply nested dynamic tail calls in crafted contracts.