CVE-2025-70956 – TON Virtual Machine (TVM) State Pollution Denial of Service

CVE ID : CVE-2025-70956

Published : Feb. 13, 2026, 10:16 p.m. | 2 hours, 13 minutes ago

Description : A State Pollution vulnerability was discovered in the TON Virtual Machine (TVM) before v2025.04. The issue exists in the RUNVM instruction logic (VmState::run_child_vm), which is responsible for initializing child virtual machines. The operation moves critical resources (specifically libraries and log) from the parent state to a new child state in a non-atomic manner. If an Out-of-Gas (OOG) exception occurs after resources are moved but before the state transition is finalized, the parent VM retains a corrupted state where these resources are emptied/invalid. Because RUNVM supports gas isolation, the parent VM continues execution with this corrupted state, leading to unexpected behavior or denial of service within the contract’s context.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…