GHSA-2PGJ-5CV2-6XXW
Vulnerability from github – Published: 2025-10-08 12:43 – Updated: 2025-10-08 12:43Impact
A memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a mload (or other opcodes which access memory) on memory that had been deallocated using ret, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage.
All users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted.
Patches
The vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with ret was zeroed out or made inaccessible. The fix was included in FuelVM version v0.60.1 and back-ported to v0.59.3. This patch was released to the Fuel network on Friday, April 18th, 2025.
Workarounds
There were no reliable workarounds that fully mitigated the vulnerability. While developers could manually zero out sensitive memory regions before returning from a function, this approach was error-prone and could not be enforced at the VM level. Upgrading to a patched version remained the recommended course of action.
References
- Fix implemented in the FuelVM GitHub repository (https://github.com/FuelLabs/fuel-vm/pull/941)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "fuel-vm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.59.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "fuel-vm"
},
"ranges": [
{
"events": [
{
"introduced": "0.60.0"
},
{
"fixed": "0.60.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-08T12:43:30Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nA memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a `mload` (or other opcodes which access memory) on memory that had been deallocated using `ret`, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage.\n\nAll users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted.\n\n### Patches\n\nThe vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with `ret` was zeroed out or made inaccessible. The fix was included in FuelVM version `v0.60.1` and back-ported to `v0.59.3`. This patch was released to the Fuel network on Friday, April 18th, 2025.\n\n### Workarounds\n\nThere were no reliable workarounds that fully mitigated the vulnerability. While developers could manually zero out sensitive memory regions before returning from a function, this approach was error-prone and could not be enforced at the VM level. Upgrading to a patched version remained the recommended course of action.\n\n### References\n\n- Fix implemented in the FuelVM GitHub repository (https://github.com/FuelLabs/fuel-vm/pull/941)",
"id": "GHSA-2pgj-5cv2-6xxw",
"modified": "2025-10-08T12:43:30Z",
"published": "2025-10-08T12:43:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/FuelLabs/fuel-vm/security/advisories/GHSA-2pgj-5cv2-6xxw"
},
{
"type": "WEB",
"url": "https://github.com/FuelLabs/fuel-vm/pull/941"
},
{
"type": "WEB",
"url": "https://github.com/FuelLabs/fuel-vm/commit/9c97c2bf782626b35ba48e154f210f91c847a513"
},
{
"type": "PACKAGE",
"url": "https://github.com/FuelLabs/fuel-vm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "FuelVM is vulnerable to heap memory allocation re-use bug"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.