CVE-2026-24889 is an integer overflow or wraparound vulnerability identified in the Stellar rs-soroban-sdk, a Rust software development kit used for building Soroban smart contracts on the Stellar blockchain platform. The vulnerability specifically affects the arithmetic operations within the Bytes::slice, Vec::slice, and Prng::gen_range methods when they process user-controlled or computed range bounds. If these bounds cause an arithmetic overflow, the operations may silently wrap around, leading to incorrect data slicing or generation of random numbers outside the intended range. This can result in corrupted contract state or unpredictable contract behavior. The vulnerability impacts versions of the SDK prior to 22.0.9, versions between 23.0.0 and 23.5.1, and versions between 25.0.0 and 25.0.2. The root cause is the absence of enforced overflow checks during arithmetic operations when the Rust compiler's overflow-checks feature is disabled (overflow-checks = false). The best practice recommended by Stellar is to enable overflow checks, which cause arithmetic operations to trap on overflow rather than wrap silently. The Stellar contract initialization tooling and documentation encourage enabling overflow checks by default, especially in release builds. The fix implemented in the patched versions replaces bare arithmetic with checked arithmetic methods (checked_add, checked_sub), ensuring that overflows trigger errors regardless of compiler settings. Contracts that do not enable overflow checks and pass unvalidated user input to these methods are vulnerable. While no known exploits are reported in the wild, the vulnerability poses a risk of contract state corruption, which could undermine the integrity of smart contracts deployed on Stellar. The CVSS 3.1 score is 5.3 (medium), reflecting a network attack vector with low complexity, no privileges or user interaction required, and impact limited to integrity without affecting confidentiality or availability.

For European organizations leveraging the Stellar blockchain and Soroban smart contracts, this vulnerability could lead to subtle and hard-to-detect corruption of contract state. This may cause financial discrepancies, erroneous contract executions, or unintended behavior in decentralized applications, especially those handling sensitive transactions or assets. Since the vulnerability does not affect confidentiality or availability directly, the primary risk is integrity loss, which can undermine trust in blockchain-based services. Organizations in fintech, decentralized finance (DeFi), and blockchain development sectors are particularly at risk if they use vulnerable SDK versions without overflow checks enabled. The silent nature of the overflow means that corrupted states could propagate unnoticed, complicating incident response and recovery. Additionally, the generation of random numbers from unintended ranges could weaken cryptographic or probabilistic contract logic, further increasing risk. Given the medium severity, the impact is significant but not catastrophic, provided that best practices are followed. However, failure to address this vulnerability could lead to financial loss, reputational damage, and regulatory scrutiny under European data and financial regulations.

European organizations should immediately verify the versions of rs-soroban-sdk in use and upgrade to patched versions 22.0.9 or later, 23.5.1 or later, and 25.0.2 or later as applicable. It is critical to ensure that the Rust compiler's overflow-checks feature is enabled (overflow-checks = true) in all build profiles, including release builds, to prevent silent wraparounds. Developers should audit Soroban contracts to confirm that user inputs or computed range bounds passed to Bytes::slice, Vec::slice, and Prng::gen_range are validated rigorously to prevent out-of-bound or overflow conditions. Employing checked arithmetic methods (checked_add, checked_sub) explicitly in contract code can provide additional safety. Organizations should integrate static analysis and fuzz testing focused on boundary conditions in contract development pipelines. Monitoring contract behavior post-deployment for anomalies in state or random number generation can help detect exploitation attempts. Finally, educating developers on this vulnerability and enforcing secure coding standards for Soroban contracts will reduce future risks.