{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4931", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-03-26T19:31:49.120Z", "datePublished": "2026-04-07T15:22:36.700Z", "dateUpdated": "2026-04-08T14:45:03.884Z"}, "containers": {"cna": {"title": "CVE-2026-4931", "descriptions": [{"lang": "en", "value": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Marginal", "product": "Marginal Smart Contract", "versions": [{"status": "affected", "version": "1"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-681 Incorrect Conversion between Numeric Types"}]}], "references": [{"url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types"}, {"url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041/"}, {"url": "https://marginal.gitbook.io/docs"}, {"url": "https://github.com/MarginalProtocol"}, {"url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4931"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T15:22:36.700Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-681", "lang": "en", "description": "CWE-681 Incorrect Conversion between Numeric Types"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:44:25.365284Z", "id": "CVE-2026-4931", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:45:03.884Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4931", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:44:25.365284Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-681", "description": "CWE-681 Incorrect Conversion between Numeric Types"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:42:46.362Z"}}], "cna": {"title": "CVE-2026-4931", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Marginal", "product": "Marginal Smart Contract", "versions": [{"status": "affected", "version": "1"}]}], "references": [{"url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types"}, {"url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041/"}, {"url": "https://marginal.gitbook.io/docs"}, {"url": "https://github.com/MarginalProtocol"}, {"url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-4931"}, "descriptions": [{"lang": "en", "value": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-681 Incorrect Conversion between Numeric Types"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-07T15:22:36.700Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4931", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:45:03.884Z", "dateReserved": "2026-03-26T19:31:49.120Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-07T15:22:36.700Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"product": "Marginal Smart Contract", "vendor": "Marginal", "versions": [{"status": "affected", "version": "1"}]}], "source": "cret@cert.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:marginal:v1-core:*:*:*:*:*:*:*:*", "matchCriteriaId": "B67F41A5-EAF7-4420-ADBF-21E4CB8DC1A0", "versionEndIncluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost."}], "id": "CVE-2026-4931", "lastModified": "2026-06-17T10:57:28.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-4931", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-04-08T14:44:25.365284Z", "version": "2.0.3"}}]}, "published": "2026-04-07T16:16:30.410", "references": [{"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://github.com/MarginalProtocol"}, {"source": "cret@cert.org", "tags": ["Product"], "url": "https://marginal.gitbook.io/docs"}, {"source": "cret@cert.org", "tags": ["Mitigation", "Press/Media Coverage", "Third Party Advisory"], "url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db"}, {"source": "cret@cert.org", "tags": ["Not Applicable"], "url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041/"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Marginal Smart Contract", "source": "cna", "vendor": "Marginal"}, "product": "marginal_smart_contract", "vendor": "marginal"}], "analysis": {"en": {"generated_at": "2026-04-08T16:26:59.791935+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s security update that corrects the unsafe downcast in Marginal v1.", "If no update is available yet, avoid sending transactions that settle debt positions on the vulnerable contract until a fix is released.", "Continuously monitor the vendor\u2019s advisory channels for a patch announcement."], "summary": {"action": "Apply Patch", "impact": "Financial Loss Due to Unauthorized Debt Settlement"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Marginal Smart Contract, specifically version 1 of the contract. No additional version granularity is reported. The issue is tied directly to the smart contract code deployed by the Marginal Protocol team.", "description_and_impact": "The smart contract in Marginal v1 contains an unsafe downcast that allows an attacker to settle a large debt position for a negligible asset cost. This flaw represents an incorrect conversion between numeric types, enabling the manipulation of debt settlement logic and potentially draining or redirecting funds. The vulnerability compromises the integrity of the contract\u2019s financial operations, allowing attackers to achieve large economic gains at minimal expense.", "risk_and_exploitability": "The CVSS score of 6.8 indicates moderate risk, while the EPSS score of less than 1% suggests a low likelihood that attackers have already leveraged this flaw in the wild. The vulnerability is not currently listed in CISA\u2019s KEV catalog, implying no known active exploitation. The attack vector is inferred to be an on\u2011chain transaction that triggers the unsafe downcast during debt settlement, requiring only that an attacker crafts a transaction to the vulnerable contract."}}}}, "created": "2026-04-08T19:37:05.269704+00:00", "title": "Unsafe Downcast in Marginal v1 Smart Contract Enables Low\u2011Cost Debt Settlement", "updated": "2026-04-08T19:48:15.599849+00:00", "vendors": ["marginal", "marginal$PRODUCT$marginal_smart_contract"]}