FKIE_CVE-2025-70956

Vulnerability from fkie_nvd - Published: 2026-02-13 22:16 - Updated: 2026-02-18 17:52
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.
References
cve@mitre.orghttps://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70
cve@mitre.orghttps://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416
cve@mitre.orghttps://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233
cve@mitre.orghttps://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract\u0027s context."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 una vulnerabilidad de contaminaci\u00f3n de estado en la M\u00e1quina Virtual TON (TVM) antes de la v2025.04. El problema existe en la l\u00f3gica de la instrucci\u00f3n RUNVM (VmState::run_child_vm), que es responsable de inicializar m\u00e1quinas virtuales secundarias. La operaci\u00f3n mueve recursos cr\u00edticos (espec\u00edficamente librer\u00edas y registro) del estado padre a un nuevo estado secundario de manera no at\u00f3mica. Si ocurre una excepci\u00f3n de Out-of-Gas (OOG) despu\u00e9s de que los recursos son movidos pero antes de que la transici\u00f3n de estado sea finalizada, la VM padre retiene un estado corrupto donde estos recursos est\u00e1n vac\u00edos/inv\u00e1lidos. Debido a que RUNVM soporta aislamiento de gas, la VM padre contin\u00faa la ejecuci\u00f3n con este estado corrupto, lo que lleva a un comportamiento inesperado o denegaci\u00f3n de servicio dentro del contexto del contrato."
    }
  ],
  "id": "CVE-2025-70956",
  "lastModified": "2026-02-18T17:52:44.520",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-13T22:16:10.290",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.