GHSA-C32P-WCQJ-J677

Vulnerability from github – Published: 2026-01-23 16:56 – Updated: 2026-01-23 16:56
VLAI?
Summary
CometBFT has inconsistencies between how commit signatures are verified and how block time is derived
Details

CSA-2026-001: Tachyon

Description

Name: CSA-2026-001: Tachyon

Criticality: Critical (Catastrophic Impact; Possible Likelihood per ACMv1.2)

Affected versions: All versions of CometBFT

Affected users: Validators and protocols relying on block timestamps

Description

A consensus-level vulnerability was discovered in CometBFT's "BFT Time" implementation due to an inconsistency between how commit signatures are verified and how block time is derived.

This breaks a core BFT Time guarantee: "A faulty process cannot arbitrarily increase the Time value."

Impact

Downstream impact on chains affects any module, smart contract, or system that relies on the block timestamp.

Patches

The new CometBFT releases v0.38.21 and v0.37.18 fix this issue. The main unreleased branch is also patched.

Workarounds

There are no effective workarounds for this vulnerability. Upgrading to patched versions is required.

Timeline

  • January 8, 2026, 5:27PM UTC: Issue reported to Cosmos Bug Bounty Program
  • January 9, 2026, 4:55AM UTC: Issue triaged and validated by core team
  • January 12, 2026, 10:25PM UTC: Core team completes patch for the issue
  • January 13, 2026 4:41PM UTC: Pre-notification delivered to ecosystem partners
  • January 23, 2026, 3:00PM UTC: Patch made available

Credits

This issue was reported to the Cosmos Bug Bounty Program on HackerOne. Credit to SEAL 911 and QED Audit for the discovery and help with the patch.

If you believe you have found a bug in the Cosmos Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Cosmos security efforts, please reach out to our official communication channel at security@cosmoslabs.io.

A Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.

Severity ?
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.38.20"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cometbft/cometbft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.38.0-alpha.1"
            },
            {
              "fixed": "0.38.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.37.17"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cometbft/cometbft"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.37.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-703"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-23T16:56:23Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# CSA-2026-001: Tachyon\n\n## Description\n\n**Name:** CSA-2026-001: Tachyon\n\n**Criticality:** Critical (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md))\n\n**Affected versions:** All versions of CometBFT\n\n**Affected users:** Validators and protocols relying on block timestamps\n\n## Description\n\nA consensus-level vulnerability was discovered in CometBFT\u0027s \"BFT Time\" implementation due to an inconsistency between how commit signatures are verified and how block time is derived.\n\nThis breaks a core BFT Time guarantee: \"A faulty process cannot arbitrarily increase the Time value.\"\n\n## Impact\n\nDownstream impact on chains affects any module, smart contract, or system that relies on the block timestamp.\n\n## Patches\n\nThe new CometBFT releases [v0.38.21](https://github.com/cometbft/cometbft/releases/tag/v0.38.21) and [v0.37.18](https://github.com/cometbft/cometbft/releases/tag/v0.37.18) fix this issue. The `main` unreleased branch is also patched.\n\n## Workarounds\n\nThere are no effective workarounds for this vulnerability. Upgrading to patched versions is required.\n\n## Timeline\n\n- January 8, 2026, 5:27PM UTC: Issue reported to Cosmos Bug Bounty Program\n- January 9, 2026, 4:55AM UTC: Issue triaged and validated by core team\n- January 12, 2026, 10:25PM UTC: Core team completes patch for the issue\n- January 13, 2026 4:41PM UTC: Pre-notification delivered to ecosystem partners\n- January 23, 2026, 3:00PM UTC: Patch made available\n\n## Credits\n\nThis issue was reported to the Cosmos Bug Bounty Program on HackerOne. Credit to SEAL 911 and [QED Audit](https://x.com/QED_Audit) for the discovery and help with the patch.\n\nIf you believe you have found a bug in the Cosmos Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.\n\nIf you have questions about Cosmos security efforts, please reach out to our official communication channel at security@cosmoslabs.io.\n\nA Github Security Advisory for this issue is available in the CometBFT repository. For more information about CometBFT, see https://docs.cometbft.com/.",
  "id": "GHSA-c32p-wcqj-j677",
  "modified": "2026-01-23T16:56:23Z",
  "published": "2026-01-23T16:56:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/security/advisories/GHSA-c32p-wcqj-j677"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/commit/bf8274fcdbcab2bc652660ae627196a90a6efb97"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cometbft/cometbft"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/releases/tag/v0.37.18"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cometbft/cometbft/releases/tag/v0.38.21"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "CometBFT has inconsistencies between how commit signatures are verified and how block time is derived"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.