CVE-2026-26267

CVE-2026-26267 is a high-severity security vulnerability in soroban-sdk-macros (rust), affecting versions >= 25.0.0, <= 25.1.0. It is fixed in 25.1.1, 23.5.2, 22.0.10.

Summary

Workarounds

If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.

Impact

The #[contractimpl] macro contains a bug in how it wires up function calls.

In Rust, you can define functions on a type in two ways:

  • Directly on the type as an inherent function:
    impl MyContract {
        fn value() { ... }
    }
    
  • Through a trait
    impl Trait for MyContract {
        fn value() { ... }
    }
    

These are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write MyContract::value(), Rust always picks the one defined directly on the type, not the trait version.

The bug is that #[contractimpl] generates code that uses MyContract::value() style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.

This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously:

  1. A impl Trait for MyContract block is defined with one or more functions, with #[contractimpl] applied.
  2. A impl MyContract block is defined with one or more identically named functions, without #[contractimpl] applied.

If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.

For example:

#[contract]
pub struct Contract;

impl Contract {
    /// Inherent function, returns 1.
    /// Bug: The macro-generated WASM export is wired up to call this function.
    pub fn value() -> u32 {
        1
    }
}

pub trait Trait {
    fn value(env: Env) -> u32;
}

#[contractimpl]
impl Trait for MyContract {
    /// Trait implementation, returns 2.
    /// Fix: The macro-generated WASM export should call this function.
    fn value() -> u32 {
        2
    }
}

CVE-2026-26267 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (25.1.1, 23.5.2, 22.0.10); upgrading removes the vulnerable code path.

Affected versions

soroban-sdk-macros (>= 25.0.0, <= 25.1.0) soroban-sdk-macros (>= 23.0.0, <= 23.5.1) soroban-sdk-macros (<= 22.0.9)

Security releases

soroban-sdk-macros → 25.1.1 (rust) soroban-sdk-macros → 23.5.2 (rust) soroban-sdk-macros → 22.0.10 (rust)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The problem is patched in soroban-sdk-macros version 25.1.1. The fix changes the generated call from <Type>::func() to <Type as Trait>::func() when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.

Users should upgrade to soroban-sdk-macros >= 25.1.1 and recompile their contracts.

Frequently Asked Questions

  1. What is CVE-2026-26267? CVE-2026-26267 is a high-severity security vulnerability in soroban-sdk-macros (rust), affecting versions >= 25.0.0, <= 25.1.0. It is fixed in 25.1.1, 23.5.2, 22.0.10.
  2. How severe is CVE-2026-26267? CVE-2026-26267 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of soroban-sdk-macros are affected by CVE-2026-26267? soroban-sdk-macros (rust) versions >= 25.0.0, <= 25.1.0 is affected.
  4. Is there a fix for CVE-2026-26267? Yes. CVE-2026-26267 is fixed in 25.1.1, 23.5.2, 22.0.10. Upgrade to this version or later.
  5. Is CVE-2026-26267 exploitable, and should I be worried? Whether CVE-2026-26267 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-26267 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-26267?
    • Upgrade soroban-sdk-macros to 25.1.1 or later
    • Upgrade soroban-sdk-macros to 23.5.2 or later
    • Upgrade soroban-sdk-macros to 22.0.10 or later

Other vulnerabilities in soroban-sdk-macros

Stop the waste.
Protect your environment with Kodem.