PatchSiren cyber security CVE debrief
CVE-2026-45137 solana-foundation CVE debrief
## Summary Anchor framework versions 1.0.0 through 1.0.1 contain a logic error in the `TryFrom<&'a AccountInfo<'a>>` implementation for `Program<'a, T>`. The vulnerability causes Anchor programs to accept any executable account when the System program is expected, due to `T = ()` and `T = System` both resolving to `Pubkey::default()` in the ID check. This allows attackers to substitute arbitrary programs for the System program in Cross-Program Invocation (CPI) calls, potentially enabling payment bypassing or arbitrary CPI execution in affected Solana programs. ## Technical Analysis The root cause lies in how Anchor validates program IDs. When no explicit type `T` is supplied, it defaults to `()`, whose `Id::id()` implementation returns `Pubkey::default()`. The System program also uses `Pubkey::default()` as its ID. The validation logic compares `T::id()` against `Pubkey::default()` to determine whether to enforce a specific program ID or allow any executable account. Consequently, both `Program<'a, ()>` and `Program<'a, System>` exhibit identical permissive behavior, accepting any executable account rather than restricting to the actual System program. Developers building with Anchor reasonably assume that `Program<'a, System>` type constraints guarantee the System program's presence. This assumption is violated, as attackers can pass any program account in place of the System program. When affected programs perform CPI calls to what they believe is the System program (e.g., for lamport transfers or account creation), they instead invoke attacker-controlled code. ## Impact Assessment - **CVSS 3.1 Score:** 8.2 (HIGH) - **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N - **Attack Vector:** Network - exploitable via transaction submission to Solana - **Attack Complexity:** Low - no special conditions required - **Privileges Required:** None - **User Interaction:** None - **Scope:** Unchanged - **Confidentiality Impact:** Low - **Integrity Impact:** High - arbitrary CPI allows state manipulation - **Availability Impact:** None The integrity impact is rated HIGH because arbitrary CPI enables attackers to execute unauthorized instructions with the full权限
- Vendor
- solana-foundation
- Product
- anchor
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Solana developers using Anchor framework, smart contract auditors, DeFi protocol security teams, blockchain security researchers
Technical summary
Logic error in Anchor's Program<T> TryFrom implementation causes System program type constraint to accept any executable account, breaking CPI security assumptions
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Anchor framework to version 1.0.2 or later
- Audit existing Anchor programs for CPI calls to System program that rely on Anchor's type validation
- Review programs using `Program<'a, System>` accounts to verify they perform additional explicit program ID checks where security-critical
- Monitor on-chain program invocations for unexpected program accounts in System program contexts
- Consider implementing defense-in-depth by explicitly verifying `account_info.key == system_program::ID` before CPI calls in security-sensitive code paths
Evidence notes
- CVE published 2026-05-27T21:16:18.670Z - Affects Anchor framework 1.0.0 to 1.0.1 - Fixed in Anchor 1.0.2 - CWE-20: Improper Input Validation - CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Official resources
-
CVE-2026-45137 CVE record
CVE.org
-
CVE-2026-45137 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27