{"id":"RUSTSEC-2026-0144","summary":"`Program\u003cSystem\u003e` accepts arbitrary executable programs","details":"Affected versions of `anchor-lang` did not properly validate accounts declared\nas `Program\u003c'info, System\u003e`. The generic `Program\u003cT\u003e` validation path used\n`Pubkey::default()` as a sentinel to decide whether any executable program\nshould be accepted. Since the system program id is also the default pubkey,\n`Program\u003c'info, System\u003e` was treated like the untyped `Program\u003c'info\u003e` case and\naccepted any executable program account.\n\nPrograms commonly rely on `Program\u003c'info, System\u003e` to ensure that CPI calls and\ninstruction builders target the real Solana system program. With the faulty\nvalidation, an attacker could supply another executable program where the system\nprogram was expected, causing downstream logic to make false assumptions about\npayments, account creation, or other system-program CPIs.\n\nThe issue was fixed in `anchor-lang` 1.0.2 by separating the typed\n`Program\u003cT\u003e` validation path from the untyped `Program\u003c()\u003e` path, so\n`Program\u003c'info, System\u003e` now checks the provided account key against the system\nprogram id. Users should upgrade to `anchor-lang` 1.0.2 or later.","aliases":["CVE-2026-45137","GHSA-c6rc-8jpp-2fgc"],"modified":"2026-05-18T19:30:20.893450Z","published":"2026-05-07T12:00:00Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/anchor-lang"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0144.html"},{"type":"ADVISORY","url":"https://github.com/otter-sec/anchor/security/advisories/GHSA-c6rc-8jpp-2fgc"},{"type":"WEB","url":"https://github.com/solana-foundation/anchor/releases/tag/v1.0.2"}],"affected":[{"package":{"name":"anchor-lang","ecosystem":"crates.io","purl":"pkg:cargo/anchor-lang"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.0.0"},{"fixed":"1.0.2"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N","source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0144.json","informational":null,"categories":[]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}]}