EXECUTIVE SUMMARY:
The rs‑soroban‑sdk package contains a vulnerability CVE-2026-32322 in the Fr scalar field equality comparison logic where the code incorrectly bypasses modular reduction when comparing unreduced field values. This flaw allows mathematically equivalent scalar values to be treated as unequal, potentially undermining contract logic that depends on accurate field comparisons and leading to incorrect authorization decisions or validation bypasses in smart contracts that accept crafted inputs. The issue arises from the raw U256 representation being compared without reduction and affects multiple versions of the SDK before the patched releases; developers and users should update to the fixed versions to ensure canonical field element comparison and maintain security in applications relying on these cryptographic operations. The vulnerability has a CVSS score of 5.3.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
The rs‑soroban‑sdk package contains a vulnerability CVE-2026-32322 in the Fr scalar field equality comparison logic where the code incorrectly bypasses modular reduction when comparing unreduced field values. This flaw allows mathematically equivalent scalar values to be treated as unequal, potentially undermining contract logic that depends on accurate field comparisons and leading to incorrect authorization decisions or validation bypasses in smart contracts that accept crafted inputs. The issue arises from the raw U256 representation being compared without reduction and affects multiple versions of the SDK before the patched releases; developers and users should update to the fixed versions to ensure canonical field element comparison and maintain security in applications relying on these cryptographic operations. The vulnerability has a CVSS score of 5.3.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]