CVE-2026-24783: soroban-fixed-point-math has Incorrect Rounding and Overflow Handling in Signed Fixed-Point Math with Negatives
In versions 1.3.0 and 1.4.0, the mulDiv function incorrectly handled cases where both the intermediate product and divisor were negative, causing rounding to be applied in the wrong direction
References
- github.com/advisories/GHSA-x5m4-43jf-hh65
- github.com/script3/soroban-fixed-point-math
- github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a
- github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1
- github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1
- github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65
- nvd.nist.gov/vuln/detail/CVE-2026-24783
Code Behaviors & Features
Detect and mitigate CVE-2026-24783 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →