The vulnerability CVE-2026-32322 affects the stellar rs-soroban-sdk, a Rust software development kit used for building Soroban smart contracts on the Stellar blockchain platform. The issue lies in the implementation of equality comparisons for Fr scalar field types associated with BN254 and BLS12-381 elliptic curves. These Fr values represent elements in a finite field used in cryptographic operations. The flawed comparison logic directly compares the raw 256-bit unsigned integer (U256) representations of these values without first reducing them modulo the field modulus r. Since field elements can have multiple integer representations that are congruent modulo r, failing to reduce before comparison means that two mathematically equal elements may be considered unequal if one or both are unreduced (i.e., greater than or equal to r). This incorrect comparison can cause smart contracts that rely on Fr equality checks for security-critical decisions—such as authorization or validation—to behave incorrectly. An attacker can exploit this by supplying specially crafted Fr values as inputs to the contract, triggering erroneous logic paths that may bypass intended security checks. The vulnerability requires no authentication or user interaction beyond supplying inputs to the contract. It affects multiple versions of the rs-soroban-sdk prior to 22.0.11, 23.5.3, and 25.3.0, where the issue has been fixed. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low complexity, no privileges required, and no user interaction. There are no known exploits reported in the wild as of the publication date.

The impact of this vulnerability depends heavily on how smart contracts utilize Fr equality comparisons. Contracts that rely on these comparisons for critical security functions—such as verifying user authorization, validating transaction parameters, or enforcing business logic—may produce incorrect results. This can lead to unauthorized access, bypass of validation checks, or other logic flaws that compromise contract integrity. Since Soroban contracts are deployed on the Stellar blockchain, exploitation could undermine trust in decentralized applications built on this platform. The vulnerability does not directly affect confidentiality or availability but impacts integrity by allowing incorrect decisions. Given the increasing adoption of Soroban for decentralized finance (DeFi) and other blockchain applications, the risk extends to financial services, asset management, and identity verification systems using affected versions of the SDK. Organizations running Soroban contracts on vulnerable SDK versions face potential financial loss, reputational damage, and regulatory scrutiny if exploited.

To mitigate this vulnerability, organizations and developers should immediately upgrade to the fixed versions of the rs-soroban-sdk: 22.0.11, 23.5.3, or 25.3.0 or later. Auditing existing smart contracts for reliance on Fr equality comparisons is critical; contracts performing direct equality checks on user-supplied scalar values should be reviewed and potentially refactored to use host-side arithmetic operations that ensure modular reduction before comparison. Developers should implement additional validation layers to verify that all Fr values are reduced modulo r before any equality checks. Incorporating comprehensive unit and integration tests that cover edge cases involving unreduced Fr values can help detect similar logic flaws. Monitoring blockchain transactions for anomalous contract behavior or unexpected authorization bypasses may provide early warning of exploitation attempts. Finally, educating developers on the correct handling of finite field elements and cryptographic primitives in Soroban contracts will reduce the risk of similar vulnerabilities.