CVE-2026-40583

HIGH

UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant Halt

Title source: cna

Description

UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails authorization only after state mutation has already occurred.

References (3)

Scores

CVSS v4 8.8
EPSS 0.0004
EPSS Percentile 12.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/U:Red

Details

CWE
CWE-460 CWE-696
Status published
Products (1)
UltraDAGcom/core = 0.1
Published Apr 21, 2026
Tracked Since Apr 21, 2026