Vulnerability DatabaseCVE-2026-32322
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-32322
March 12, 2026
soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., >= r). The vulnerability requires an attacker to supply crafted Fr values through contract inputs, and compare them directly without going through host-side arithmetic operations. Smart contracts that rely on Fr equality checks for security-critical logic could produce incorrect results. The impact depends on how the affected contract uses Fr equality comparisons, but can result in incorrect authorization decisions or validation bypasses in contracts that perform equality checks on user-supplied scalar values. This vulnerability is fixed in 22.0.11, 23.5.3, and 25.3.0.
Affected Packages
https://github.com/stellar/rs-soroban-sdk.git (GITHUB):
Affected version(s) >=v23.5.0 <v23.5.3
Fix Suggestion:
Update to version v23.5.3
https://github.com/stellar/rs-soroban-sdk.git (GITHUB):
Affected version(s) >=v22.0.0 <v22.0.11
Fix Suggestion:
Update to version v22.0.11
https://github.com/stellar/rs-soroban-sdk.git (GITHUB):
Affected version(s) >=v25.0.0 <v25.3.0
Fix Suggestion:
Update to version v25.3.0
soroban-sdk (RUST):
Affected version(s) >=25.0.0 <25.3.0
Fix Suggestion:
Update to version 25.3.0
soroban-sdk (RUST):
Affected version(s) >=23.0.0 <23.5.3
Fix Suggestion:
Update to version 23.5.3
soroban-sdk (RUST):
Affected version(s) >=0.0.1 <22.0.11
Fix Suggestion:
Update to version 22.0.11
Related ResourcesĀ (8)
https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.3
https://github.com/stellar/rs-soroban-sdk/commit/082424b30bf22ea7fb8c79f16ccd135e0ae9f3db
https://nvd.nist.gov/vuln/detail/CVE-2026-32322
https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.3.0
https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-x2hw-px52-wp4m
https://github.com/stellar/rs-soroban-sdk
https://github.com/stellar/rs-soroban-sdk/pull/1750
https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.11
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Incorrect Comparison
CWE-697
EPSS
Base Score:
0.04