CVE-2024-26149: Vyper's `_abi_decode` vulnerable to Memory Overflow
Summary
If an excessively large value is specified as the starting index for an array in _abi_decode
, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode
. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode
on the same input.
References
Detect and mitigate CVE-2024-26149 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →