Back to list

Anchor: Program<'info, System> is not properly validated — CVE-2026-45137

GitHub · GitHub · CVE-2026-45137

ID
CVE-2026-45137
Date
Activity
Source
GitHub
Vendor
GitHub
Threat
high
CVSS
8.2

Summary

### Summary An logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in programs that invoke system program instructions. ### Details In the TryFrom<&'a AccountInfo<'a>> implementation for Program<'a, T>, the id of T is compared with Pubkey::default() to check whether anchor should allow any executable…

Product

rust: anchor-lang

What to do

General, cautious steps (verify details in the official source):

  • Prioritize patching or mitigation immediately (treat as actively risky).
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W20