Description

soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available.

INFO

Published Date :

2026-01-27T22:04:18.006Z

Last Modified :

2026-01-28T21:09:12.428Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24783 vulnerability.

Vendors Products
Script3
  • Soroban-fixed-point-math
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24783.

URL Resource
https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a cve-icon cve-icon
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1 cve-icon cve-icon
https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1 cve-icon cve-icon
https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact