The vulnerability CVE-2026-29795 affects the stellar rs-stellar-xdr library, specifically versions prior to 25.0.1. The root cause is in the StringM::from_str method, which is responsible for constructing fixed-length string types (StringM) from input strings. The method fails to validate that the input string length does not exceed the predefined maximum length (MAX). Consequently, when a string longer than the maximum length N is passed to StringM::<N>::from_str(s), the function incorrectly returns a successful result (Ok) instead of an error (Err(Error::LengthExceedsMax)). This leads to the creation of StringM objects that violate their length invariants. Such malformed StringM instances can then propagate through serialization, validation, or other logic that assumes the length constraints are enforced, potentially causing unexpected behavior or data integrity issues in applications relying on this library. The vulnerability is classified under CWE-770, which relates to allocation of resources without limits or throttling, as the unchecked input length can lead to resource mismanagement. The flaw requires local access to the vulnerable library and does not require user interaction. The CVSS v3.1 base score is 4.0, reflecting a medium severity with low impact on confidentiality and availability but some impact on integrity. The issue has been fixed in version 25.0.1 of rs-stellar-xdr, and no known exploits have been reported in the wild.

The primary impact of this vulnerability is on data integrity within applications using the vulnerable rs-stellar-xdr library. By allowing oversized strings to bypass length checks, the vulnerability can cause malformed data structures that may disrupt serialization and validation logic. This can lead to inconsistent or corrupted data states, potentially affecting transaction processing or other critical operations in Stellar-based systems. While the vulnerability does not directly compromise confidentiality or availability, the integrity issues could result in application errors, unexpected behavior, or denial of service if malformed data is mishandled downstream. Organizations relying on Stellar's rs-stellar-xdr library for blockchain or financial transaction processing could face operational disruptions or data inconsistencies. Since exploitation requires local access and no user interaction, the threat is somewhat limited to environments where attackers have the ability to supply crafted input to the vulnerable library. However, the widespread use of Stellar technology in financial services and blockchain applications means that integrity issues could have significant downstream effects if not addressed.

To mitigate this vulnerability, organizations should upgrade the rs-stellar-xdr library to version 25.0.1 or later, where the input length validation issue has been fixed. Developers should audit their codebases to ensure that all instances of StringM construction from strings use the patched library version. Additionally, implement input validation at higher application layers to enforce maximum length constraints before data reaches the vulnerable function. Employ fuzz testing and static analysis tools to detect similar unchecked input length issues in related code. Monitor application logs for anomalies related to string length violations or serialization errors that could indicate attempts to exploit this flaw. For environments where immediate upgrade is not feasible, consider applying strict input sanitization and limiting local access to trusted users to reduce the risk of exploitation. Finally, maintain awareness of updates from the Stellar project and security advisories to promptly address any emerging threats related to this vulnerability.