TROYANOSYVIRUS
Retour aux CVEs

CVE-2025-70956

HIGH
7.5

Description

A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.

Details CVE

Score CVSS v3.17.5
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie2/13/2026
Derniere modification2/18/2026
Sourcenvd
Observations honeypot0

Faiblesses (CWE)

CWE-1321

References

https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70(cve@mitre.org)
https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416(cve@mitre.org)
https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233(cve@mitre.org)
https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g(cve@mitre.org)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.