CVE-2026-40069
Published: 09 April 2026
Summary
CVE-2026-40069 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Sgbett Bsv Ruby Sdk. Its CVSS base score is 7.5 (High).
Operationally, ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and correction of the flaw through upgrading the BSV Ruby SDK to version 0.8.2 or later, which properly handles all ARC failure statuses.
Addresses the core issue of improper error handling by ensuring the system ignores or handles ARC response failures (e.g., INVALID, MALFORMED) without compromising integrity through false success signals.
Requires validation of ARC response inputs like txStatus and extraInfo to prevent applications from trusting transactions rejected by the network for reasons beyond REJECTED or DOUBLE_SPEND_ATTEMPTED.
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.NVD Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are…
more
silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2.
Deeper analysisAI
CVE-2026-40069 affects the BSV Ruby SDK, a Ruby library for interacting with the BSV blockchain, in versions from 0.1.0 up to but not including 0.8.2. The vulnerability lies in the BSV::Network::ARC component's failure detection mechanism, which only recognizes REJECTED and DOUBLE_SPEND_ATTEMPTED as broadcast failures. Responses from ARC with txStatus values such as INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or those containing ORPHAN in extraInfo or txStatus are incorrectly treated as successful transaction broadcasts. This flaw, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and mapped to CWE-754, can mislead applications that rely on broadcaster success signals.
Remote attackers require no privileges or user interaction to exploit this issue over the network. By submitting transactions that the BSV network rejects for the noted reasons, adversaries can trick vulnerable applications into believing the broadcasts succeeded, even though the transactions were never accepted. This enables integrity violations, such as applications proceeding with actions gated behind perceived successful broadcasts, potentially leading to flawed business logic or trust in invalid blockchain transactions.
The vulnerability is addressed in BSV Ruby SDK version 0.8.2, as detailed in the project's GitHub security advisory (GHSA-9hfr-gw99-8rhx), release notes, associated pull request, and fixing commit. Security practitioners should advise upgrading to 0.8.2 or later to properly handle all ARC failure statuses and prevent false positives in broadcast detection.
Details
- CWE(s)