CVE-2025-70956

CVE-2025-70956 is a State Pollution vulnerability in the TON Virtual Machine (TVM) prior to version v2025.04. The flaw resides in the RUNVM instruction logic within VmState::run_child_vm, which handles initialization of child virtual machines. This logic moves critical resources, such as libraries and logs, from the parent state to the new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after the resources are moved but before the state transition finalizes, the parent VM is left in a corrupted state with these resources emptied or invalidated. Due to gas isolation in RUNVM, the parent VM continues execution with this corruption, resulting in unexpected behavior or denial of service within the affected contract's context. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-1321.

Attackers can exploit this vulnerability remotely without privileges or user interaction by invoking a smart contract on the TON blockchain that executes the RUNVM instruction. By crafting a transaction that triggers an OOG exception at the precise point after resource transfer but before state finalization, an attacker corrupts the parent VM's state. This leads to denial of service or erratic contract behavior, such as failed operations or invalid state handling, confined to the targeted contract's execution environment.

Mitigation is addressed in the TON blockchain repository through commit 1835d84602bbaaa1593270d7ab3bb0b499920416, incorporated into the v2025.04 release. Security practitioners should ensure TON nodes and contracts upgrade to TVM v2025.04 or later to resolve the non-atomic resource handling issue, as detailed in the associated GitHub release notes and a technical gist providing further analysis.