{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/bsv/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-40069"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["bsv","ruby","blockchain","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe BSV Ruby SDK, a tool for interacting with the BSV blockchain, contains a vulnerability in versions prior to 0.8.2. Specifically, the \u003ccode\u003eBSV::Network::ARC\u003c/code\u003e component\u0026rsquo;s failure detection mechanism is flawed. It only recognizes \u003ccode\u003eREJECTED\u003c/code\u003e and \u003ccode\u003eDOUBLE_SPEND_ATTEMPTED\u003c/code\u003e ARC responses as failures. Responses with \u003ccode\u003etxStatus\u003c/code\u003e values like \u003ccode\u003eINVALID\u003c/code\u003e, \u003ccode\u003eMALFORMED\u003c/code\u003e, \u003ccode\u003eMINED_IN_STALE_BLOCK\u003c/code\u003e, or any \u003ccode\u003eORPHAN\u003c/code\u003e-containing string in \u003ccode\u003eextraInfo\u003c/code\u003e or \u003ccode\u003etxStatus\u003c/code\u003e are incorrectly treated as successful broadcasts. This can lead applications that rely on successful broadcast confirmations to trust transactions that were never actually accepted by the BSV network. The vulnerability is identified as CVE-2026-40069 and is patched in version 0.8.2 of the SDK. This affects any application using the vulnerable SDK to interact with the BSV blockchain where transaction confirmation is critical for subsequent actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a transaction designed to fail under specific conditions on the BSV network (e.g., invalid format, conflicts with existing transactions).\u003c/li\u003e\n\u003cli\u003eThe attacker uses an application built with a vulnerable BSV Ruby SDK (versions \u0026lt; 0.8.2) to broadcast the malicious transaction.\u003c/li\u003e\n\u003cli\u003eThe BSV network responds with an ARC response indicating a failure status, such as \u003ccode\u003eINVALID\u003c/code\u003e, \u003ccode\u003eMALFORMED\u003c/code\u003e, \u003ccode\u003eMINED_IN_STALE_BLOCK\u003c/code\u003e, or a status containing \u003ccode\u003eORPHAN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eBSV::Network::ARC\u003c/code\u003e component in the SDK incorrectly interprets the failure response as a successful broadcast due to inadequate error handling.\u003c/li\u003e\n\u003cli\u003eThe application, relying on the SDK\u0026rsquo;s flawed confirmation, proceeds with actions dependent on the transaction\u0026rsquo;s supposed success.\u003c/li\u003e\n\u003cli\u003eThese actions could include updating local state, triggering further transactions, or providing access to resources based on the false confirmation.\u003c/li\u003e\n\u003cli\u003eThe attacker benefits from the application\u0026rsquo;s misinterpretation, potentially gaining unauthorized access or manipulating the application\u0026rsquo;s state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40069 allows attackers to deceive applications using vulnerable BSV Ruby SDK versions into believing that a transaction has been successfully broadcast to the BSV blockchain when it has not. This can lead to incorrect application state, unauthorized actions, or other security breaches depending on the application\u0026rsquo;s logic. While the exact number of affected applications isn\u0026rsquo;t specified, any application relying on transaction confirmation from the BSV Ruby SDK prior to version 0.8.2 is potentially vulnerable. This could impact financial applications, supply chain management systems, or any other application using the BSV blockchain for critical operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all instances of the BSV Ruby SDK to version 0.8.2 or later to remediate CVE-2026-40069.\u003c/li\u003e\n\u003cli\u003eImplement additional transaction verification mechanisms independent of the BSV Ruby SDK in applications where transaction confirmation is critical.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect BSV Ruby SDK ARC Response Errors\u0026rdquo; to identify potentially vulnerable applications based on network traffic patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:17:03Z","date_published":"2026-04-09T18:17:03Z","id":"/briefs/2024-01-bsv-ruby-sdk-vuln/","summary":"BSV Ruby SDK versions before 0.8.2 improperly handle ARC responses, treating certain failure statuses as successful broadcasts, potentially tricking applications into trusting unaccepted transactions; version 0.8.2 resolves this vulnerability.","title":"BSV Ruby SDK Improper ARC Response Handling","url":"https://feed.craftedsignal.io/briefs/2024-01-bsv-ruby-sdk-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Bsv","version":"https://jsonfeed.org/version/1.1"}