CVE-2026-32322

// PoC: Fr comparison vulnerability demonstration // This demonstrates how unreduced Fr values can bypass equality checks // Vulnerable comparison (current implementation) fn vulnerable_fr_equal(a: Fr, b: Fr) -> bool { // Direct U256 comparison without modulo reduction a.0 == b.0 } // Example attack scenario: // Contract checks if user-provided scalar equals authorized value fn vulnerable_auth_check(user_scalar: Fr, authorized_scalar: Fr) -> bool { // This check can be bypassed if user_scalar is unreduced // e.g., authorized_scalar = 0, user_scalar = r (field modulus) // They are mathematically equal but compare as NOT equal vulnerable_fr_equal(user_scalar, authorized_scalar) } // Exploit: // 1. authorized_scalar = 0 (mod r) // 2. Attacker provides user_scalar = r (unreduced) // 3. vulnerable_auth_check returns false (incorrectly) // 4. Attacker bypasses authorization // Fixed comparison (after patch) fn fixed_fr_equal(a: Fr, b: Fr) -> bool { // Reduce both values modulo r before comparison let reduced_a = a.reduce(); let reduced_b = b.reduce(); reduced_a.0 == reduced_b.0 }

{"cve": {"id": "CVE-2026-32322", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:42.610", "lastModified": "2026-03-19T13:37:47.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "soroban-sdk is a Rust SDK for Soroban contracts. Prior to 22.0.11, 23.5.3, and 25.3.0, The Fr (scalar field) types for BN254 and BLS12-381 in soroban-sdk compared values using their raw U256 representation without first reducing modulo the field modulus r. This caused mathematically equal field elements to compare as not-equal when one or both values were unreduced (i.e., >= r). The vulnerability requires an attacker to supply crafted Fr values through contract inputs, and compare them directly without going through host-side arithmetic operations. Smart contracts that rely on Fr equality checks for security-critical logic could produce incorrect results. The impact depends on how the affected contract uses Fr equality comparisons, but can result in incorrect authorization decisions or validation bypasses in contracts that perform equality checks on user-supplied scalar values. This vulnerability is fixed in 22.0.11, 23.5.3, and 25.3.0."}, {"lang": "es", "value": "soroban-sdk es un SDK de Rust para contratos Soroban. Antes de 22.0.11, 23.5.3 y 25.3.0, los tipos Fr (campo escalar) para BN254 y BLS12-381 en soroban-sdk comparaban valores usando su representación U256 cruda sin reducir primero el módulo del módulo de campo r. Esto causó que elementos de campo matemáticamente iguales se compararan como no-iguales cuando uno o ambos valores no estaban reducidos (es decir, >= r). La vulnerabilidad requiere que un atacante suministre valores Fr manipulados a través de entradas de contrato, y los compare directamente sin pasar por operaciones aritméticas del lado del host. Los contratos inteligentes que dependen de comprobaciones de igualdad de Fr para lógica de seguridad crítica podrían producir resultados incorrectos. El impacto depende de cómo el contrato afectado utiliza las comparaciones de igualdad de Fr, pero puede resultar en decisiones de autorización incorrectas o elusión de validaciones en contratos que realizan comprobaciones de igualdad en valores escalares suministrados por el usuario. Esta vulnerabilidad está corregida en 22.0.11, 23.5.3 y 25.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-697"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:stellar:rs-soroban-sdk:*:*:*:*:*:rust:*:*", "versionEndExcluding": "22.0.11", "matchCriteriaId": "197C15B0-7D3F-42B2-BAC0-48B32D3D798C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:stellar:rs-soroban-sdk:*:*:*:*:*:rust:*:*", "versionStartIncluding": "23.0.0", "versionEndExcluding": "23.5.3", "matchCriteriaId": "842E038D-54E7-45AF-B924-608DAF58E0F5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:stellar:rs-soroban-sdk:*:*:*:*:*:rust:*:*", "versionStartIncluding": "25.0.0", "versionEndExcluding": "25.3.0", "matchCriteriaId": "D23F2F97-743F-4E63-84AF-B599B1600A56"}]}]}], "references": [{"url": "https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-x2hw-px52-wp4m", "source": "[email protected]", "tags": ["Mitigation", "Patch", "Vendor Advisory"]}]}}