CVE-2026-24783: CWE-682: Incorrect Calculation in script3 soroban-fixed-point-math
CVE-2026-24783 is a high-severity vulnerability in the soroban-fixed-point-math library versions 1. 3. 0 and 1. 4. 0, used for fixed-point arithmetic in Soroban smart contracts. The mulDiv(x, y, z) function incorrectly calculates results when both the intermediate product (x * y) and divisor (z) are negative, causing rounding errors in fixed_div_floor and fixed_div_ceil functions. This flaw affects all signed FixedPoint implementations (i64, i128, I256). Exploitation can lead to integrity issues in smart contract computations, potentially causing financial miscalculations or logic errors. No known exploits exist yet, but patched versions 1. 3.
AI Analysis
Technical Summary
The vulnerability CVE-2026-24783 affects the soroban-fixed-point-math library, specifically versions 1.3.0 and 1.4.0, which provide fixed-point arithmetic functions for Soroban smart contracts. The core issue lies in the mulDiv(x, y, z) function, which calculates (x * y) / z with rounding. When both the intermediate product (x * y) and the divisor z are negative, the function incorrectly assumes the final result must be negative, ignoring the divisor's sign. This leads to rounding in the wrong direction, impacting the fixed_div_floor and fixed_div_ceil functions that rely on mulDiv with non-constant divisors. The problem affects all signed FixedPoint types (i64, i128, I256), which are commonly used in financial and logic computations within smart contracts. Such miscalculations can cause incorrect contract behavior, potentially allowing attackers to exploit rounding errors to manipulate contract outcomes or financial calculations. The vulnerability does not require authentication or user interaction and can be exploited remotely by submitting crafted inputs to vulnerable smart contracts. Although no known exploits have been reported, the issue is serious enough to warrant immediate patching. Versions 1.3.1 and 1.4.1 contain fixes that correctly handle sign logic in mulDiv. No workarounds are currently available, emphasizing the need for prompt updates.
Potential Impact
For European organizations leveraging Soroban smart contracts, especially in financial services, decentralized finance (DeFi), and blockchain-based applications, this vulnerability poses a significant risk to the integrity of contract computations. Incorrect rounding can lead to financial discrepancies, erroneous contract states, or unintended contract executions, potentially resulting in monetary loss or reputational damage. Since Soroban is a smart contract platform, errors in fixed-point math can be exploited by adversaries to manipulate contract logic or outcomes without breaching confidentiality or availability. This undermines trust in blockchain applications and can disrupt business operations relying on precise financial calculations. The lack of known exploits suggests the threat is currently theoretical but patching is critical to prevent future attacks. Organizations failing to update may face risks of contract manipulation, regulatory scrutiny, and financial penalties.
Mitigation Recommendations
European organizations should immediately upgrade any usage of soroban-fixed-point-math library from versions 1.3.0 or 1.4.0 to the patched versions 1.3.1 or 1.4.1. Conduct a thorough audit of all Soroban smart contracts that use fixed-point arithmetic to identify potential reliance on vulnerable functions such as mulDiv, fixed_div_floor, and fixed_div_ceil. Implement rigorous testing and validation of contract logic post-update to ensure correct rounding behavior. Where feasible, introduce additional contract-level checks or constraints to detect anomalous results from arithmetic operations. Engage with blockchain developers and auditors to review contract code for similar logic errors. Monitor blockchain transaction patterns for unusual contract behavior that could indicate exploitation attempts. Finally, maintain an up-to-date inventory of smart contract dependencies and apply security patches promptly.
Affected Countries
Germany, France, Netherlands, Switzerland, United Kingdom, Estonia, Luxembourg
CVE-2026-24783: CWE-682: Incorrect Calculation in script3 soroban-fixed-point-math
Description
CVE-2026-24783 is a high-severity vulnerability in the soroban-fixed-point-math library versions 1. 3. 0 and 1. 4. 0, used for fixed-point arithmetic in Soroban smart contracts. The mulDiv(x, y, z) function incorrectly calculates results when both the intermediate product (x * y) and divisor (z) are negative, causing rounding errors in fixed_div_floor and fixed_div_ceil functions. This flaw affects all signed FixedPoint implementations (i64, i128, I256). Exploitation can lead to integrity issues in smart contract computations, potentially causing financial miscalculations or logic errors. No known exploits exist yet, but patched versions 1. 3.
AI-Powered Analysis
Technical Analysis
The vulnerability CVE-2026-24783 affects the soroban-fixed-point-math library, specifically versions 1.3.0 and 1.4.0, which provide fixed-point arithmetic functions for Soroban smart contracts. The core issue lies in the mulDiv(x, y, z) function, which calculates (x * y) / z with rounding. When both the intermediate product (x * y) and the divisor z are negative, the function incorrectly assumes the final result must be negative, ignoring the divisor's sign. This leads to rounding in the wrong direction, impacting the fixed_div_floor and fixed_div_ceil functions that rely on mulDiv with non-constant divisors. The problem affects all signed FixedPoint types (i64, i128, I256), which are commonly used in financial and logic computations within smart contracts. Such miscalculations can cause incorrect contract behavior, potentially allowing attackers to exploit rounding errors to manipulate contract outcomes or financial calculations. The vulnerability does not require authentication or user interaction and can be exploited remotely by submitting crafted inputs to vulnerable smart contracts. Although no known exploits have been reported, the issue is serious enough to warrant immediate patching. Versions 1.3.1 and 1.4.1 contain fixes that correctly handle sign logic in mulDiv. No workarounds are currently available, emphasizing the need for prompt updates.
Potential Impact
For European organizations leveraging Soroban smart contracts, especially in financial services, decentralized finance (DeFi), and blockchain-based applications, this vulnerability poses a significant risk to the integrity of contract computations. Incorrect rounding can lead to financial discrepancies, erroneous contract states, or unintended contract executions, potentially resulting in monetary loss or reputational damage. Since Soroban is a smart contract platform, errors in fixed-point math can be exploited by adversaries to manipulate contract logic or outcomes without breaching confidentiality or availability. This undermines trust in blockchain applications and can disrupt business operations relying on precise financial calculations. The lack of known exploits suggests the threat is currently theoretical but patching is critical to prevent future attacks. Organizations failing to update may face risks of contract manipulation, regulatory scrutiny, and financial penalties.
Mitigation Recommendations
European organizations should immediately upgrade any usage of soroban-fixed-point-math library from versions 1.3.0 or 1.4.0 to the patched versions 1.3.1 or 1.4.1. Conduct a thorough audit of all Soroban smart contracts that use fixed-point arithmetic to identify potential reliance on vulnerable functions such as mulDiv, fixed_div_floor, and fixed_div_ceil. Implement rigorous testing and validation of contract logic post-update to ensure correct rounding behavior. Where feasible, introduce additional contract-level checks or constraints to detect anomalous results from arithmetic operations. Engage with blockchain developers and auditors to review contract code for similar logic errors. Monitor blockchain transaction patterns for unusual contract behavior that could indicate exploitation attempts. Finally, maintain an up-to-date inventory of smart contract dependencies and apply security patches promptly.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-26T21:06:47.869Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69793a494623b1157c4b1c6f
Added to database: 1/27/2026, 10:20:57 PM
Last enriched: 2/4/2026, 9:15:50 AM
Last updated: 2/7/2026, 6:51:16 AM
Views: 43
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2076: Improper Authorization in yeqifu warehouse
MediumCVE-2025-15491: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Post Slides
HighCVE-2025-15267: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in boldthemes Bold Page Builder
MediumCVE-2025-13463: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in boldthemes Bold Page Builder
MediumCVE-2025-12803: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in boldthemes Bold Page Builder
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.