CVE-2026-24783
Published: 27 January 2026
Summary
CVE-2026-24783 is a high-severity Incorrect Calculation (CWE-682) vulnerability in Script3 Soroban-Fixed-Point-Math. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).
Deeper analysis
CVE-2026-24783 affects the soroban-fixed-point-math library, a fixed-point math implementation for Soroban smart contracts, specifically in versions 1.3.0 and 1.4.0. The vulnerability resides in the mulDiv(x, y, z) function, which incorrectly handles cases where both the intermediate product x*y and the divisor z are negative. The function assumes a negative intermediate product implies a negative final result, ignoring z's sign and causing rounding in the wrong direction. This issue impacts fixed_div_floor and fixed_div_ceil functions, which commonly pass non-constant divisors to mulDiv, and extends to all signed FixedPoint and SorobanFixedPoint types, including i64, i128, and I256 implementations.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating network-accessible exploitation with low complexity, no privileges or user interaction required. Attackers can exploit it by interacting with affected Soroban smart contracts that invoke the flawed mulDiv logic, supplying negative inputs to trigger incorrect rounding in division operations. This leads to high integrity impacts, such as erroneous fixed-point arithmetic that could manipulate contract balances, computations, or logic in financial or DeFi applications relying on precise math.
Patches are available in soroban-fixed-point-math versions 1.3.1 and 1.4.1, as detailed in the GitHub security advisory (GHSA-x5m4-43jf-hh65), release notes, and the fixing commit (c9233f7094198a49ed66a4d75786a8a3755c936a). No workarounds exist, so security practitioners should urge immediate upgrades for deployments using vulnerable versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4710
Vulnerability details
soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed…
more
that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public Soroban smart contracts (T1190) via crafted negative inputs to mulDiv, directly facilitating stored data manipulation such as erroneous contract balances and logic (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely remediation of the mulDiv sign-handling flaw in soroban-fixed-point-math by patching to versions 1.3.1 or 1.4.1, directly preventing exploitation in affected smart contracts.
Requires vulnerability scanning of smart contract dependencies to identify deployment of vulnerable soroban-fixed-point-math versions 1.3.0 and 1.4.0.
Enforces restrictions on software usage by permitting only patched soroban-fixed-point-math library versions, preventing execution of vulnerable fixed-point math functions.