SecuriTricks - CVE-2026-40583

Description

UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred.

Product(s) Impacted

Vendor	Product	Versions
Ultradag	Ultradag	0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-460

Improper Cleanup on Thrown Exception

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	ultradag	ultradag	0.1	/	/	/	/	/	/	/

References

https://github.com/UltraDAGcom/core/commit/2f5a3a237ea519b48d71e6e3093c89f60694c7be

https://github.com/UltraDAGcom/core/commit/45bcf7064741897319b6196d3d9f9e1307093511

https://github.com/UltraDAGcom/core/security/advisories/GHSA-q8wx-2crx-c7pp

CVSS Score

8.8 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: HIGH
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

View Vector String

Timeline

Published: April 21, 2026, 5:16 p.m.
Last Modified: April 22, 2026, 9:24 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-40583