Reported

May 28, 2026

Issued

June 29, 2026

Package

solana_rbpf (crates.io)

Type

INFO Unsound

Categories

• memory-corruption

Keywords

#soundness #pointer-arithmetic #out-of-bounds

References

• https://github.com/solana-labs/rbpf
• https://github.com/anza-xyz/sbpf/pull/151
• https://crates.io/crates/solana-sbpf

Patched

no patched versions

Unaffected

• <0.8.0

Affected Functions

Version

solana_rbpf::vm::EbpfVm::invoke_function

• >=0.8.0, <=0.8.5

Description

Affected versions of solana_rbpf expose the safe method EbpfVm::invoke_function. This method computes an obfuscated VM pointer by casting self to *mut u64 and applying a randomized offset derived from get_runtime_environment_key().

The resulting pointer arithmetic is performed with ptr::offset, which requires the computed pointer to remain within the same allocation. In practice, the randomized offset can move the pointer far outside the allocation containing the EbpfVm, causing undefined behavior before the supplied builtin function is invoked.

Unmaintained

The upstream solana_rbpf repository is archived, and no patched version of this crate is currently available.

Users should migrate to the maintained solana-sbpf crate. The issue has been fixed there in anza-xyz/sbpf#151.

Advisory available under CC0-1.0 license.