RUSTSEC-2026-0144

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2026-0144

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0144.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2026-0144

Aliases

CVE-2026-45137
GHSA-c6rc-8jpp-2fgc

Published

2026-05-07T12:00:00Z

Modified

2026-05-18T19:30:20.893450Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVSS Calculator

Summary

`Program<System>` accepts arbitrary executable programs

Details

Affected versions of anchor-lang did not properly validate accounts declared as Program<'info, System>. The generic Program<T> validation path used Pubkey::default() as a sentinel to decide whether any executable program should be accepted. Since the system program id is also the default pubkey, Program<'info, System> was treated like the untyped Program<'info> case and accepted any executable program account.

Programs commonly rely on Program<'info, System> to ensure that CPI calls and instruction builders target the real Solana system program. With the faulty validation, an attacker could supply another executable program where the system program was expected, causing downstream logic to make false assumptions about payments, account creation, or other system-program CPIs.

The issue was fixed in anchor-lang 1.0.2 by separating the typed Program<T> validation path from the untyped Program<()> path, so Program<'info, System> now checks the provided account key against the system program id. Users should upgrade to anchor-lang 1.0.2 or later.

Database specific

{
    "license": "CC-BY-4.0"
}

References

Affected packages

crates.io / anchor-lang

Package

Name: anchor-lang; View open source insights on deps.dev
Purl: pkg:cargo/anchor-lang

Affected ranges

Type: SEMVER
Events: Introduced

1.0.0

Fixed

1.0.2

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "arch": [],
        "functions": [],
        "os": []
    }
}