Lucene search

MendCVELIST:CVE-2022-23066

HistoryMay 08, 2022 - 12:00 a.m.

CVE-2022-23066 Solana rBPF - Incorrect Calculation in sdiv instruction

2022-05-0800:00:00

CWE-682

Mend

www.cve.org

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.2%

JSON

In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.

CNA Affected

[
  {
    "product": "rbpf",
    "vendor": "solana-labs",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "0.2.26",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "0.2.27",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324

github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297

www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

59.2%

JSON

Related for CVELIST:CVE-2022-23066