SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call came from a direct `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. For those affected, the issue can lead to possible incorrect state transitions. Version 0.36.0 contains a patch. There are no known workarounds.
Published 2022-10-25 19:15:12
Updated 2022-10-28 19:37:38
Source GitHub, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-39354

0.06%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-39354

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
7.5
HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
3.9
3.6
NIST
5.9
MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
2.2
3.6
GitHub, Inc.

CWE ids for CVE-2022-39354

  • The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
    Assigned by:
    • nvd@nist.gov (Primary)
    • security-advisories@github.com (Secondary)

References for CVE-2022-39354

Products affected by CVE-2022-39354

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!