CVE-2026-40069

# PoC for CVE-2026-40069: BSV Ruby SDK Logic Error # This script simulates the vulnerable behavior where INVALID transactions are treated as success. # Vulnerable component simulation class VulnerableARC def broadcast(tx) # Simulate a network response indicating the transaction is INVALID # In a real scenario, this comes from the What's On Chain API response = { "txStatus" => "INVALID", "extraInfo" => "Transaction malformed" } # Vulnerable logic: Only checks for specific failures if response["txStatus"] == "REJECTED" || response["txStatus"] == "DOUBLE_SPEND_ATTEMPTED" return false else # INVALID, MALFORMED, ORPHAN etc. fall through to here return true # Incorrectly returns success end end end # Usage client = VulnerableARC.new result = client.broadcast("fake_tx_data") if result puts "[VULNERABLE] Transaction broadcast successful! (But it was actually INVALID)" else puts "Transaction failed." end

{"cve": {"id": "CVE-2026-40069", "sourceIdentifier": "[email protected]", "published": "2026-04-09T18:17:03.043", "lastModified": "2026-04-30T14:01:51.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.1.0 to before 0.8.2, BSV::Network::ARC's failure detection only recognises REJECTED and DOUBLE_SPEND_ATTEMPTED. ARC responses with txStatus values of INVALID, MALFORMED, MINED_IN_STALE_BLOCK, or any ORPHAN-containing extraInfo / txStatus are silently treated as successful broadcasts. Applications that gate actions on broadcaster success are tricked into trusting transactions that were never accepted by the network. This vulnerability is fixed in 0.8.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "0.1.0", "versionEndExcluding": "0.8.2", "matchCriteriaId": "90A4B053-0571-45B3-85A6-0CE005E42D5E"}]}]}], "references": [{"url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/releases/tag/v0.8.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-9hfr-gw99-8rhx", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}