CVE-2026-46403: Klever-Go KVM read-only execution can commit contract delete and upgrade side effects
KVM exposes ExecuteReadOnlyWithTypedArguments as a read-only execution mechanism. The hook saves the previous read-only state, sets runtime.SetReadOnly(true), executes the destination context, and then restores the previous read-only state. However, the indirect contract delete and upgrade paths do not reject execution when runtime.ReadOnly() is true. As a result, a contract reached through read-only execution can call the production delete hook for a target contract it owns. The delete path appends the target address to vmOutput.DeletedAccounts, the output context merges DeletedAccounts into the caller output, and the smart contract processor later processes the VM output by deleting accounts listed in that field.
The root cause is that read-only mode is applied as runtime state, but not enforced by the state-changing delete and upgrade host-core paths. This breaks the expected isolation boundary for workflows that rely on read-only calls to inspect another contract without allowing that callee to produce state-changing VM output.
References
- github.com/advisories/GHSA-jc6w-wmfc-fh33
- github.com/klever-io/klever-go/commit/333f6ec910906e227705fc5767dc897d8fbfc862
- github.com/klever-io/klever-go/commit/68b94a40824fac2d848a4ded6eb7c91ada6ce9ef
- github.com/klever-io/klever-go/security/advisories/GHSA-jc6w-wmfc-fh33
- nvd.nist.gov/vuln/detail/CVE-2026-46403
Code Behaviors & Features
Detect and mitigate CVE-2026-46403 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →