CVE-2022-23066

CRITICAL

Solana rBPF <0.2.28 - Incorrect Calculation

Title source: llm

Description

In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.

References (3)

[Exploit, Third Party Advisory] https://blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324

[Patch, Third Party Advisory] https://github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066

Scores

CVSS v3 9.1

EPSS 0.0112

EPSS Percentile 78.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-682

Status published

Affected Products (3)

solana/rbpf

solana/rbpf

crates.io/solana_rbpf < 0.2.28crates.io

Timeline

Published May 09, 2022

Tracked Since Feb 18, 2026