Cyber Resilience

CVE-2026-29795

Medium

Published: 06 March 2026

Published
06 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0003 10.0th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29795 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Stellar Stellar-Xdr. Its CVSS base score is 4.0 (Medium).

Operationally, ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-29795 affects the stellar-xdr library and CLI, which provide types and functionality for working with Stellar XDR. Prior to version 25.0.1, the StringM::from_str function fails to validate that input strings do not exceed the declared maximum length (MAX). When calling StringM::<N>::from_str(s) with a string longer than N bytes, the function returns Ok instead of Err(Error::LengthExceedsMax), creating a StringM instance that violates its length invariant. This impacts any code constructing StringM values from string inputs via FromStr (including str::parse) while assuming the maximum length constraint is enforced.

A local attacker with no privileges required can exploit this vulnerability with low complexity and no user interaction. By supplying an oversized string to affected parsing functions, they can generate invalid StringM values. These oversized instances may propagate through serialization, validation, or other logic that relies on the length invariant, potentially leading to integrity violations in dependent applications, as indicated by the CVSS v3.1 score of 4.0 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and associated CWE-770.

The issue has been addressed in version 25.0.1 of stellar-xdr. The Stellar security advisory (GHSA-x57h-xx53-v53w), related GitHub issue #499, pull request #500, and patching commit 1f840013c3e2fca0321fb844b048afa01d10dda6 provide details on the fix, recommending an upgrade to the patched version to enforce proper length validation.

EU & UK References

Vulnerability details

stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::from_str does not validate that the input length is within the declared maximum (MAX). Calling StringM::<N>::from_str(s) where s is longer than…

more

N bytes succeeds and returns an Ok value instead of Err(Error::LengthExceedsMax), producing a StringM that violates its length invariant. This affects any code that constructs StringM values from string input using FromStr (including str::parse), and relies on the type's maximum length constraint being enforced. An oversized StringM could propagate through serialization, validation, or other logic that assumes the invariant holds. This issue has been patched in version 25.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-26267Same vendor: Stellar
CVE-2024-12537Shared CWE-770
CVE-2025-51846Shared CWE-770
CVE-2021-47877Shared CWE-770
CVE-2020-36950Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2026-1718Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770

Affected Assets

stellar
stellar-xdr
≤ 25.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input strings against length constraints before StringM construction, blocking the exact FromStr bypass described.

detect

Requires integrity verification of data structures, enabling detection of StringM instances that violate their declared length invariant after parsing.

prevent

Mandates proper error handling so that length-exceeding inputs produce Err rather than silently returning an invalid Ok value.

References