CVE-2025-70956

Published: Feb 13, 2026

Modified: Feb 17, 2026

PUBLISHED

Description

A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract's context.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/ton-blockchain/ton/commit/1835d84602bbaaa1593270d7ab3bb0b499920416

https://github.com/ton-blockchain/ton/releases/tag/v2025.04#:~:text=Arayz%2C%20Robinlzw%2C%20%40wy666444%20%40Lucian-code233

https://mp.weixin.qq.com/s/ZD35baKUikefFdtNHZIC9g

https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-70956

Description

Affected Products

References