The vulnerability CVE-2026-24889 affects the stellar rs-soroban-sdk, a Rust software development kit used for building Soroban smart contracts on the Stellar blockchain platform. The issue is an integer overflow or wraparound (CWE-190) that can be triggered in the Bytes::slice, Vec::slice, and Prng::gen_range methods when arithmetic operations on range bounds overflow silently. This occurs if contracts pass user-controlled or computed range values without proper validation or without enabling Rust's overflow checks. Specifically, if overflow-checks are disabled (overflow-checks = false), arithmetic operations may wrap around without error, causing slices or random number generation to operate on incorrect data ranges. This can lead to corrupted contract state or unintended behavior in contract logic. The vulnerability affects multiple versions of the SDK, including versions before 22.0.9, between 23.0.0 and 23.5.1, and between 25.0.0 and 25.0.2. The recommended fix replaces bare arithmetic with checked arithmetic methods (checked_add, checked_sub) that trap on overflow regardless of overflow-checks settings. The official tooling and boilerplate generated by the stellar contract init tool encourage enabling overflow checks by default, reducing the likelihood of exploitation. However, contracts that explicitly or implicitly disable overflow checks remain vulnerable. No known exploits have been reported in the wild. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, and no user interaction needed. The impact is limited to integrity loss without affecting confidentiality or availability.

For European organizations developing or deploying Soroban smart contracts using the vulnerable rs-soroban-sdk versions, this vulnerability could lead to silent corruption of contract state or incorrect random number generation. This may cause logic errors, financial discrepancies, or unintended contract behavior, undermining trust and reliability in blockchain applications. While the vulnerability does not directly compromise confidentiality or availability, integrity issues in smart contracts can have significant financial and reputational consequences, especially in sectors like finance, supply chain, and digital identity where Stellar-based contracts may be used. The impact is mitigated if overflow checks are enabled, which is the recommended default. Organizations relying on custom or legacy contracts that disable overflow checks are at higher risk. The absence of known exploits reduces immediate threat but does not eliminate risk, particularly as attackers may develop exploits targeting contracts with disabled overflow checks. European blockchain developers and enterprises should prioritize updating SDK versions and enforcing overflow checks to maintain contract integrity.

1. Immediately upgrade rs-soroban-sdk to a patched version beyond 25.0.2 or the latest secure release that includes checked arithmetic operations. 2. Ensure all Soroban contract development environments and build profiles enable Rust's overflow checks (overflow-checks = true), especially in release builds. 3. Review existing contracts to verify that overflow checks are enabled and that no user-controlled inputs are passed unchecked to Bytes::slice, Vec::slice, or Prng::gen_range methods. 4. Implement explicit validation of range bounds before passing them to slicing or random number generation functions to prevent overflow conditions. 5. Use the official stellar contract init tool to generate boilerplate code that enforces best practices. 6. Conduct thorough testing and code audits focusing on arithmetic operations and boundary conditions in smart contracts. 7. Monitor updates from Stellar and the rs-soroban-sdk project for further patches or advisories. 8. Educate developers on the risks of disabling overflow checks and the importance of safe arithmetic in smart contract development.