GHSA-2PGJ-5CV2-6XXW

Vulnerability from github – Published: 2025-10-08 12:43 – Updated: 2025-10-08 12:43
VLAI
Summary
FuelVM is vulnerable to heap memory allocation re-use bug
Details

Impact

A memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a mload (or other opcodes which access memory) on memory that had been deallocated using ret, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage.

All users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted.

Patches

The vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with ret was zeroed out or made inaccessible. The fix was included in FuelVM version v0.60.1 and back-ported to v0.59.3. This patch was released to the Fuel network on Friday, April 18th, 2025.

Workarounds

There were no reliable workarounds that fully mitigated the vulnerability. While developers could manually zero out sensitive memory regions before returning from a function, this approach was error-prone and could not be enforced at the VM level. Upgrading to a patched version remained the recommended course of action.

References

  • Fix implemented in the FuelVM GitHub repository (https://github.com/FuelLabs/fuel-vm/pull/941)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "fuel-vm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.59.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "fuel-vm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.60.0"
            },
            {
              "fixed": "0.60.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T12:43:30Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nA memory safety vulnerability was present in the Fuel Virtual Machine (FuelVM), where memory reads could bypass expected access controls. Specifically, when a smart contract performed a `mload` (or other opcodes which access memory) on memory that had been deallocated using `ret`, it was still able to access the old memory contents. This occurred because the memory region was not zeroed out or otherwise marked as invalid. As a result, smart contracts could potentially read sensitive data left over from other contracts if the same memory was reallocated, violating isolation guarantees between contracts and enabling unintended data leakage.\n\nAll users running affected versions of FuelVM that relied on strict memory isolation between smart contracts were impacted.\n\n### Patches\n\nThe vulnerability was patched by modifying the FuelVM to ensure that memory deallocated with `ret` was zeroed out or made inaccessible. The fix was included in FuelVM version `v0.60.1` and back-ported to `v0.59.3`. This patch was released to the Fuel network on Friday, April 18th, 2025.\n\n### Workarounds\n\nThere were no reliable workarounds that fully mitigated the vulnerability. While developers could manually zero out sensitive memory regions before returning from a function, this approach was error-prone and could not be enforced at the VM level. Upgrading to a patched version remained the recommended course of action.\n\n### References\n\n- Fix implemented in the FuelVM GitHub repository (https://github.com/FuelLabs/fuel-vm/pull/941)",
  "id": "GHSA-2pgj-5cv2-6xxw",
  "modified": "2025-10-08T12:43:30Z",
  "published": "2025-10-08T12:43:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FuelLabs/fuel-vm/security/advisories/GHSA-2pgj-5cv2-6xxw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FuelLabs/fuel-vm/pull/941"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FuelLabs/fuel-vm/commit/9c97c2bf782626b35ba48e154f210f91c847a513"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FuelLabs/fuel-vm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FuelVM is vulnerable to heap memory allocation re-use bug"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…