Summary
CometBFT has inconsistencies between how commit signatures are verified and how block time is derived
CSA-2026-001: Tachyon
Description
Name: CSA-2026-001: Tachyon
Criticality: Critical (Catastrophic Impact; Possible Likelihood per ACMv1.2)
Affected versions: All versions of CometBFT
Affected users: Validators and protocols relying on block timestamps
Description
A consensus-level vulnerability was discovered in CometBFT's "BFT Time" implementation due to an inconsistency between how commit signatures are verified and how block time is derived.
This breaks a core BFT Time guarantee: "A faulty process cannot arbitrarily increase the Time value."
Workarounds
There are no effective workarounds for this vulnerability. Upgrading to patched versions is required.
Timeline
- January 8, 2026, 5:27PM UTC: Issue reported to Cosmos Bug Bounty Program
- January 9, 2026, 4:55AM UTC: Issue triaged and validated by core team
- January 12, 2026, 10:25PM UTC: Core team completes patch for the issue
- January 13, 2026 4:41PM UTC: Pre-notification delivered to ecosystem partners
- January 23, 2026, 3:00PM UTC: Patch made available
Credits
This issue was reported to the Cosmos Bug Bounty Program on HackerOne. Credit to SEAL 911 and QED Audit for the discovery and help with the patch.
If you believe you have found a bug in the Cosmos Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Cosmos security efforts, please reach out to our official communication channel at [email protected].
A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.
Impact
Downstream impact on chains affects any module, smart contract, or system that relies on the block timestamp.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The new CometBFT releases v0.38.21 and v0.37.18 fix this issue. The main unreleased branch is also patched.
Frequently Asked Questions
- What is GHSA-C32P-WCQJ-J677? GHSA-C32P-WCQJ-J677 is a high-severity security vulnerability in github.com/cometbft/cometbft (go), affecting versions >= 0.38.0-alpha.1, <= 0.38.20. It is fixed in 0.38.21, 0.37.18.
- Which versions of github.com/cometbft/cometbft are affected by GHSA-C32P-WCQJ-J677? github.com/cometbft/cometbft (go) versions >= 0.38.0-alpha.1, <= 0.38.20 is affected.
- Is there a fix for GHSA-C32P-WCQJ-J677? Yes. GHSA-C32P-WCQJ-J677 is fixed in 0.38.21, 0.37.18. Upgrade to this version or later.
- Is GHSA-C32P-WCQJ-J677 exploitable, and should I be worried? Whether GHSA-C32P-WCQJ-J677 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-C32P-WCQJ-J677 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-C32P-WCQJ-J677?
- Upgrade
github.com/cometbft/cometbftto 0.38.21 or later - Upgrade
github.com/cometbft/cometbftto 0.37.18 or later
- Upgrade