mirror of
https://github.com/rustsec/advisory-db.git
synced 2026-07-16 00:12:29 -04:00
Add advisory for anchor-lang Program System validation
This commit is contained in:
committed by
Dirkjan Ochtman
parent
fbe725826a
commit
e1e852ff7f
36
crates/anchor-lang/RUSTSEC-0000-0000.md
Normal file
36
crates/anchor-lang/RUSTSEC-0000-0000.md
Normal file
@@ -0,0 +1,36 @@
|
||||
```toml
|
||||
[advisory]
|
||||
id = "RUSTSEC-0000-0000"
|
||||
package = "anchor-lang"
|
||||
date = "2026-05-07"
|
||||
url = "https://github.com/otter-sec/anchor/security/advisories/GHSA-c6rc-8jpp-2fgc"
|
||||
references = ["https://github.com/solana-foundation/anchor/releases/tag/v1.0.2"]
|
||||
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"
|
||||
keywords = ["solana", "anchor", "account-validation", "system-program"]
|
||||
aliases = ["CVE-2026-45137", "GHSA-c6rc-8jpp-2fgc"]
|
||||
license = "CC-BY-4.0"
|
||||
|
||||
[versions]
|
||||
patched = [">= 1.0.2"]
|
||||
unaffected = ["< 1.0.0"]
|
||||
```
|
||||
|
||||
# `Program<System>` accepts arbitrary executable programs
|
||||
|
||||
Affected versions of `anchor-lang` did not properly validate accounts declared
|
||||
as `Program<'info, System>`. The generic `Program<T>` validation path used
|
||||
`Pubkey::default()` as a sentinel to decide whether any executable program
|
||||
should be accepted. Since the system program id is also the default pubkey,
|
||||
`Program<'info, System>` was treated like the untyped `Program<'info>` case and
|
||||
accepted any executable program account.
|
||||
|
||||
Programs commonly rely on `Program<'info, System>` to ensure that CPI calls and
|
||||
instruction builders target the real Solana system program. With the faulty
|
||||
validation, an attacker could supply another executable program where the system
|
||||
program was expected, causing downstream logic to make false assumptions about
|
||||
payments, account creation, or other system-program CPIs.
|
||||
|
||||
The issue was fixed in `anchor-lang` 1.0.2 by separating the typed
|
||||
`Program<T>` validation path from the untyped `Program<()>` path, so
|
||||
`Program<'info, System>` now checks the provided account key against the system
|
||||
program id. Users should upgrade to `anchor-lang` 1.0.2 or later.
|
||||
Reference in New Issue
Block a user