CVE-2026-42278 UltraDAGcom CVE debrief

Who should care

UltraDAG node operators, blockchain developers implementing sub-address or pocket architectures, security auditors of DAG-BFT consensus systems, and organizations holding UDAG assets in Pocket-structured accounts

Technical summary

The vulnerability exists in UltraDAG's StateEngine implementation of SmartTransferTx. Pockets are virtual sub-addresses mapped to parent accounts via pocket_to_parent but lack independent SmartAccountConfig entries. The check_spending_policy method receives the Pocket address as the account identifier, fails to find a configuration, and defaults to authorized. This occurs before any parent account lookup, allowing complete circumvention of configured delays and limits. The fix in commit fb6ef59 ensures proper parent resolution prior to policy evaluation.

Defensive priority

Critical

Recommended defensive actions

• Upgrade UltraDAG core to commit fb6ef59 or later immediately
• Audit all SmartTransferTx transactions originating from Pocket addresses since deployment for unauthorized spending
• Review and strengthen policy enforcement pipeline to ensure parent account resolution occurs before any policy check
• Implement additional validation to reject transactions from virtual addresses lacking explicit policy configurations
• Monitor for anomalous Pocket-to-external transfers that bypass expected time delays or spending limits

Evidence notes

NVD record published 2026-05-08, modified 2026-05-19. GitHub Security Advisory GHSA-9chc-gjfr-6hrq and commit fb6ef59d6c1385400e7acea7ae31fc6a473c3051 confirm fix. CVSS 4.0 vector indicates network attack vector with high integrity and availability impact. CWE-284 (Improper Access Control) and CWE-639 (Authorization Bypass Through User-Controlled Key) identified.

Official resources