Vyper _abi_decode Memory Overflow
Description
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within _abi_decode. This vulnerability affects 0.3.10 and earlier versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vyper's _abi_decode suffers from integer overflow when using excessively large array start indices, enabling out-of-bounds memory reads and potential exploitation.
Root
Cause
CVE-2024-26149 describes an integer overflow vulnerability in Vyper's _abi_decode function. When decoding arrays, if an excessively large value is specified as the starting index, the read position arithmetic overflows, causing the decoder to access memory outside the intended array bounds [1]. This flaw affects Vyper versions 0.3.10 and earlier.
Exploitation
An attacker can exploit this by crafting calldata that includes a manipulated array start index. The vulnerability can be triggered in any smart contract that uses _abi_decode to process untrusted input arrays, potentially without requiring authentication if the contract exposes such decoding to external callers [2].
Impact
Successful exploitation allows an attacker to read arbitrary memory locations outside the decoded array. This could lead to information disclosure of sensitive contract data or manipulation of contract state, depending on the context of the decoded values [1].
Mitigation
The Vyper team has addressed this vulnerability in a patch merged via pull request #4060 [4]. Users are strongly advised to upgrade to a patched version of the Vyper compiler and recompile their contracts to eliminate the overflow risk [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vyperPyPI | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-9p8r-4xp4-gw5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26149ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yamlghsaWEB
- github.com/vyperlang/vyper/pull/3925ghsaWEB
- github.com/vyperlang/vyper/pull/4060ghsaWEB
- github.com/vyperlang/vyper/pull/4091ghsaWEB
- github.com/vyperlang/vyper/pull/4144ghsaWEB
- github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.