GHSA-429q-fhh4-r6hj: Anchor: `InterfaceAccount` allows account substitution between unexpected types
(updated )
Any uses of InterfaceAccount allows another unexpected account type to be passed, after https://github.com/solana-foundation/anchor/pull/3837 disabled discriminator checking for this type.
The bug was originally reported and fixed in https://github.com/solana-foundation/anchor/pull/4139, see that PR for more details.
References
- github.com/advisories/GHSA-429q-fhh4-r6hj
- github.com/otter-sec/anchor/security/advisories/GHSA-429q-fhh4-r6hj
- github.com/solana-foundation/anchor/commit/26ef36968a62e28a1f028e7adae4806af30c747d
- github.com/solana-foundation/anchor/pull/3837
- github.com/solana-foundation/anchor/pull/4139
- github.com/solana-foundation/anchor/security/advisories/GHSA-429q-fhh4-r6hj
- rustsec.org/advisories/RUSTSEC-2026-0146.html
Code Behaviors & Features
Detect and mitigate GHSA-429q-fhh4-r6hj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →