CVE-2026-40583 HIGH

CVE-2026-40583: UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant Halt

Vendor Ultradagcom
Product core
Weakness CWE-460
Published April 21, 2026
Last update April 21, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/U:Red

What the vulnerability does

01Description

UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 21, 2026 Record updated