Cyber Resilience

CVE-2025-70955

HighDDoS

Published: 13 February 2026

Published
13 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70955 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Qq (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-70955, published on 2026-02-13, is a stack overflow vulnerability in the TON Virtual Machine (TVM) prior to version v2024.10. The flaw stems from improper handling of vmstate and continuation jump instructions, which permit continuous dynamic tail calls. This allows a crafted smart contract with deeply nested jump logic to exhaust the host process's stack space, even within standard gas limits, ultimately crashing the validator node.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-674 (Uncontrolled Recursion). Remote, unauthenticated attackers can exploit it by deploying a malicious smart contract on the TON blockchain. Exploitation leads to a Denial of Service (DoS) by causing validator node crashes, disrupting network operations.

Mitigation requires upgrading to TVM v2024.10 or later, where the issue is addressed via a specific commit in the ton-blockchain/ton repository. Release notes for v2024.10 reference security fixes, including contributions related to this vulnerability. Further technical details and a proof-of-concept are available in the provided references.

EU & UK References

Vulnerability details

A Stack Overflow vulnerability was discovered in the TON Virtual Machine (TVM) before v2024.10. The vulnerability stems from the improper handling of vmstate and continuation jump instructions, which allow for continuous dynamic tail calls. An attacker can exploit this by…

more

crafting a smart contract with deeply nested jump logic. Even within permissible gas limits, this nested execution exhausts the host process's stack space, causing the validator node to crash. This results in a Denial of Service (DoS) for the TON blockchain network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote unauthenticated exploitation of a public-facing VM service (blockchain validator) via malicious input leading to resource exhaustion DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3520Shared CWE-674
CVE-2026-33508Shared CWE-674
CVE-2026-31899Shared CWE-674
CVE-2026-40324Shared CWE-674
CVE-2026-1069Shared CWE-674
CVE-2026-34211Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2026-32141Shared CWE-674
CVE-2026-44289Shared CWE-674
CVE-2026-32944Shared CWE-674

Affected Assets

Qq
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation by upgrading TVM to v2024.10 or later to fix the stack overflow from uncontrolled recursion in vmstate and jump instructions.

prevent

Implements denial-of-service protections to prevent validator node crashes from malicious smart contracts exploiting stack exhaustion within gas limits.

prevent

Protects system resources such as host process stack space from unauthorized depletion caused by deeply nested dynamic tail calls in crafted contracts.

References