Description

A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.

INFO

Published Date :

2026-02-13T00:00:00.000Z

Last Modified :

2026-02-17T15:15:36.481Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-70956 vulnerability.

Vendors Products
Ton-blockchain
  • Ton
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-70956.

URL Resource
https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70 cve-icon cve-icon
https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416 cve-icon cve-icon
https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233 cve-icon cve-icon
https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact