Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
TON Virtual Machine allows corrupted state to cause unexpected behavior
CVE-2025-70956
Summary
A bug in the TON Virtual Machine can cause it to behave unexpectedly if a specific condition occurs. This can lead to a denial of service within a contract. Update to version 2025.04 or later to fix the issue.
Original title
A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for in...
Original description
A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.
nvd CVSS3.1
7.5
Vulnerability type
CWE-1321
Prototype Pollution
Published: 13 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026