CVE-2022-31264
Description
Solana solana_rbpf before 0.2.29 has an addition integer overflow via invalid ELF program headers. elf.rs has a panic via a malformed eBPF program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in solana_rbpf ELF parser before 0.2.29 allows denial of service via crafted eBPF program.
Vulnerability
An integer overflow vulnerability exists in the elf.rs module of solana_rbpf (the Rust virtual machine for eBPF used by Solana). The bug resides in the vm_range() function which computes the virtual memory range from program header fields p_vaddr and p_memsz. When a malformed ELF is loaded with sufficiently large values, the addition self.p_vaddr as usize + self.p_memsz as usize overflows, causing a panic. This affects versions prior to 0.2.29 [1], [3]. By default, the crate may load these invalid ELFs without proper validation, though the reject_broken_elfs configuration option can be set to true to attempt rejection [3].
Exploitation
An attacker needs to supply a malicious ELF eBPF program to an application using solana_rbpf. The attack requires no special authentication or network position beyond delivering the crafted ELF (e.g., via file open, network upload, or malformed syscall input). The proof-of-concept [3] demonstrates modifying two bytes in a valid test ELF at specific offsets to set large values, then calling Executable::load. The program panics immediately upon loading due to the arithmetic overflow in vm_range (called by the ELF loader).
Impact
Successful exploitation causes a denial of service (panic) in the process that loads the malformed eBPF program. The vulnerability does not appear to allow code execution or memory corruption beyond the immediate abort, as the overflow triggers a safe panic in the goblin crate (used for ELF parsing) due to overflow-checked addition. However, repeated exploitation can disrupt service availability. No privilege escalation is achieved; the crash occurs at the user-space level.
Mitigation
The fix was released in version 0.2.29 of solana_rbpf with commit #320 [4]. This version adds proper overflow checks on the addition in vm_range, preventing the panic. Users should update to solana_rbpf >= 0.2.29 (or later) [4]. If upgrading is not immediately possible, applications can set config.reject_broken_elfs = true to mitigate some malformed ELFs, though this may not fully protect against all crafted inputs [3]. The repository is now archived (read-only as of Jan 2025), so no further patches are expected. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
solana_rbpfcrates.io | < 0.2.29 | 0.2.29 |
Affected products
2- Solana/solana_rbpfdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-ffx3-8qvm-pq3jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-31264ghsaADVISORY
- github.com/Ainevsia/CVE-Request/tree/main/Solana/1ghsax_refsource_MISCWEB
- github.com/solana-labs/rbpf/releases/tag/v0.2.29ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.