CVE-2023-34449

Name: CVE-2023-34449
Creator: NVD / NIST
Published: 2023-06-14T21:15:09.79+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.3/10EPSS 0.97%

Last modified Jun 17, 2026

CVE-2023-34449 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. EPSS estimates a 0.97% chance of exploitation in the next 30 days.

Description

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS Probability

0.97%

57.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Parity	Ink\!	>= 4.0.0, < 4.2.1

References

https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegateExploit, Third Party Advisory
https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.htmlExploit, Third Party Advisory
https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3dbPatch
https://github.com/paritytech/ink/pull/1450Patch, Vendor Advisory
https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8fExploit, Patch, Vendor Advisory
https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegateExploit, Third Party Advisory
https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.htmlExploit, Third Party Advisory
https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3dbPatch
https://github.com/paritytech/ink/pull/1450Patch, Vendor Advisory
https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8fExploit, Patch, Vendor Advisory

Timeline

Published: Jun 14, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-34449?

How severe is CVE-2023-34449?

CVE-2023-34449 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.97% probability of exploitation in the next 30 days.

How do I fix CVE-2023-34449?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-34449?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST