CVE-2026-24783
Published: 27 January 2026
Summary
CVE-2026-24783 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Script3 Soroban-Fixed-Point-Math. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public Soroban smart contracts (T1190) via crafted negative inputs to mulDiv, directly facilitating stored data manipulation such as erroneous contract balances and logic (T1565.001).
NVD Description
soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed…
more
that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.
Deeper analysisAI
CVE-2026-24783 affects the soroban-fixed-point-math library, a fixed-point math implementation for Soroban smart contracts, specifically in versions 1.3.0 and 1.4.0. The vulnerability resides in the mulDiv(x, y, z) function, which incorrectly handles cases where both the intermediate product x*y and the divisor z are negative. The function assumes a negative intermediate product implies a negative final result, ignoring z's sign and causing rounding in the wrong direction. This issue impacts fixed_div_floor and fixed_div_ceil functions, which commonly pass non-constant divisors to mulDiv, and extends to all signed FixedPoint and SorobanFixedPoint types, including i64, i128, and I256 implementations.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating network-accessible exploitation with low complexity, no privileges or user interaction required. Attackers can exploit it by interacting with affected Soroban smart contracts that invoke the flawed mulDiv logic, supplying negative inputs to trigger incorrect rounding in division operations. This leads to high integrity impacts, such as erroneous fixed-point arithmetic that could manipulate contract balances, computations, or logic in financial or DeFi applications relying on precise math.
Patches are available in soroban-fixed-point-math versions 1.3.1 and 1.4.1, as detailed in the GitHub security advisory (GHSA-x5m4-43jf-hh65), release notes, and the fixing commit (c9233f7094198a49ed66a4d75786a8a3755c936a). No workarounds exist, so security practitioners should urge immediate upgrades for deployments using vulnerable versions.
Details
- CWE(s)