CVE-2026-24783

Jan. 27, 2026, 10:15 p.m.

7.5
High

Description

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.

Product(s) Impacted

Vendor Product Versions
Soroban
  • Fixed-point-math
  • 1.3.0-1.4.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-682
Incorrect Calculation
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a soroban fixed-point-math 1.3.0-1.4.0 / / / / / / /

References

https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1
https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65

Tags

[email protected]
CWE-682
2026-01-27
CVE-2026-24783

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: Jan. 27, 2026, 10:15 p.m.
Last Modified: Jan. 27, 2026, 10:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.