The vulnerability CVE-2026-29795 affects the rs-stellar-xdr library, a Rust implementation used for handling Stellar XDR data types. Specifically, the StringM::from_str method fails to validate that input strings conform to the declared maximum length (MAX). When a string longer than the maximum allowed length N is passed, the method incorrectly returns a successful result instead of an error, thereby creating a StringM instance that violates its length invariant. This flaw impacts any code that constructs StringM values from string inputs using FromStr or str::parse and relies on the maximum length constraint for correctness. The consequence is that oversized strings can propagate through serialization, validation, or other logic that assumes the length invariant holds, potentially causing unexpected behavior or logic errors. The root cause is a lack of proper input validation and resource allocation limits, categorized under CWE-770. The vulnerability does not directly expose sensitive data or cause denial of service but undermines data integrity by allowing invalid data states. The issue was addressed and patched in version 25.0.1 of the library. No public exploits or active attacks have been reported to date.

The primary impact of this vulnerability is on data integrity within applications using the affected rs-stellar-xdr library versions. By allowing oversized strings to bypass length checks, applications may process malformed or unexpected data, potentially leading to logic errors, incorrect transaction processing, or corrupted data states. While this does not directly compromise confidentiality or availability, it can undermine trust in data correctness and cause downstream application failures or inconsistencies. Organizations relying on Stellar blockchain infrastructure or applications built on rs-stellar-xdr may experience subtle bugs or validation failures that could affect transaction integrity or system reliability. Since exploitation requires only local access to input string construction functions and no privileges or user interaction, the risk is moderate. However, the scope is limited to software components using the vulnerable library versions, and the absence of known exploits reduces immediate threat levels. Nonetheless, the vulnerability should be addressed promptly to maintain data integrity and prevent potential future exploitation scenarios.

To mitigate this vulnerability, organizations should upgrade all instances of the rs-stellar-xdr library to version 25.0.1 or later, where the input length validation issue has been fixed. Developers should audit their codebases to identify any usage of StringM::from_str or related parsing methods that construct StringM values from untrusted input and ensure proper input validation is enforced. Implement additional input sanitization and length checks at higher application layers to prevent oversized strings from reaching the vulnerable code paths. Incorporate fuzz testing and static analysis tools to detect similar resource allocation or input validation issues in related code. Monitor for updates from the Stellar project and subscribe to security advisories to stay informed about any emerging exploits or patches. Finally, conduct thorough testing of serialization and validation logic to confirm that length invariants are correctly enforced and that malformed data cannot propagate through the system.