CVE-2022-23066 CRITICAL

CVE-2022-23066: Solana rBPF - Incorrect Calculation in sdiv instruction

Vendor Solana-Labs
Product rbpf
Weakness CWE-682
Published May 9, 2022
Last update September 16, 2024

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.

Key dates

02Disclosure timeline

May 9, 2022 CVE published
September 16, 2024 Record updated