GHSA-54gx-3cgr-7mfm: Cosmos EVM: incorrect state handling during nested EVM execution paths

On January 21, 2026, Cosmos Labs was notified of suspicious activity on a network running the affected implementation. The issue resulted in financial loss on the Saga EVM network.

After confirming the vulnerability, Cosmos Labs coordinated with the affected chain team and ecosystem partners to investigate the issue, deploy mitigations, and assist other chains running the affected code.

Cosmos Labs contacted chains known to be running versions containing the affected component to verify their configurations and support mitigation where necessary. At the time of publication, all known affected chains have either applied mitigations or upgraded to a patched version.