VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 19, 2022· Updated Apr 23, 2025

Message length overflow in frontier

CVE-2022-36008

Description

Frontier's RPC exit reason parser in EVM revert has an integer overflow bug leading to incorrect results or panic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Frontier's RPC exit reason parser in EVM revert has an integer overflow bug leading to incorrect results or panic.

Overview

CVE-2022-36008 is a security vulnerability in Frontier, Substrate's Ethereum compatibility layer, affecting the parsing of the RPC result for the exit reason during EVM reversions. The issue stems from an integer overflow when computing the length of the revert message from the RPC data. In the vulnerable code, the message length was derived by summing bytes from a fixed slice, which could overflow a u8, leading to an incorrect length and misparsing of the revert reason [1][3].

Exploitation

The attack vector is through crafted RPC calls that trigger an EVM revert with a specially constructed return data payload. An attacker does not need prior authentication but must be able to submit transactions to a node that exposes the RPC interface. In release builds, the overflow causes the exit reason to be parsed incorrectly, returning a wrong revert message to the caller. In debug builds, the arithmetic overflow triggers a panic, crashing the node [1][2].

Impact

A successful exploit can lead to either incorrect RPC responses, which may confuse bridge nodes that rely on distinguishing different revert reasons, or a denial-of-service (node crash) in debug builds. The vulnerability does not allow arbitrary code execution or data theft, but it compromises the reliability and availability of affected nodes [1][4].

Mitigation

The fix was implemented in pull request #820, which replaced the dangerous byte sum with a proper U256 to usize conversion using saturated_into and added bounds checking via saturating_add [2][3]. The patch was merged on August 15, 2022, and users with bridge nodes that differentiate reversion exit reasons via RPC should update Frontier to the patched version immediately.

References
  1. NVD - CVE-2022-36008
  2. Fix length checking overflow in EVM revert reason parsing by sorpaas · Pull Request #820 · polkadot-evm/frontier
  3. Fix length checking overflow in EVM revert reason parsing (#820) · polkadot-evm/frontier@fff8cc4
  4. GitHub - polkadot-evm/frontier: Ethereum and EVM compatibility layer for Polkadot and Substrate.

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fc-rpccrates.io
<= 1.0.0

Affected products

2

Patches

1
fff8cc43b775

Fix length checking overflow in EVM revert reason parsing (#820)

https://github.com/paritytech/frontierWei TangAug 15, 2022via ghsa
commit
1 file changed · +11 4
  • client/rpc/src/eth/execute.rs+11 4 modified
    @@ -31,6 +31,7 @@ use sp_blockchain::{BlockStatus, HeaderBackend};
 use sp_runtime::{
 	generic::BlockId,
 	traits::{BlakeTwo256, Block as BlockT},
+	SaturatedConversion,
 };
 
 use fc_rpc_core::types::*;
@@ -688,13 +689,19 @@ pub fn error_on_execution_failure(reason: &ExitReason, data: &[u8]) -> Result<()
 			))
 		}
 		ExitReason::Revert(_) => {
+			const LEN_START: usize = 36;
+			const MESSAGE_START: usize = 68;
+
 			let mut message = "VM Exception while processing transaction: revert".to_string();
 			// A minimum size of error function selector (4) + offset (32) + string length (32)
 			// should contain a utf-8 encoded revert reason.
-			if data.len() > 68 {
-				let message_len = data[36..68].iter().sum::<u8>();
-				if data.len() >= 68 + message_len as usize {
-					let body: &[u8] = &data[68..68 + message_len as usize];
+			if data.len() > MESSAGE_START {
+				let message_len =
+					U256::from(&data[LEN_START..MESSAGE_START]).saturated_into::<usize>();
+				let message_end = MESSAGE_START.saturating_add(message_len);
+
+				if data.len() >= message_end {
+					let body: &[u8] = &data[MESSAGE_START..message_end];
 					if let Ok(reason) = std::str::from_utf8(body) {
 						message = format!("{} {}", message, reason);
 					}

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.