top of page
perceptive_background_267k.jpg

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handl…

Published:

26 January 2026 at 23:00:00

Alert date:

27 January 2026 at 23:04:33

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Emerging Technologies

CVE-2026-24783 affects the soroban-fixed-point-math library for Soroban smart contracts in versions 1.3.0 and 1.4.0. The vulnerability is in the mulDiv(x, y, z) function which incorrectly handles cases where both the intermediate product x*y and divisor z are negative. The logic flaw causes incorrect rounding direction when both values are negative, affecting fixed_div_floor and fixed_div_ceil functions. The error impacts all signed FixedPoint and SorobanFixedPoint implementations including i64, i128, and I256. Patches are available in versions 1.3.1 and 1.4.1 with no known workarounds.

Technical details

Mitigation steps:

Affected products:

soroban-fixed-point-math

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-24783
https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1
https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page