CVE-2023-26488 — Incorrect Calculation in Contracts

CWE-682 — Incorrect Calculation4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 45.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openzeppelin Contracts Openzeppelin Contracts Upgradeable Openzeppelin Contracts-upgradeable +1 more

Timeline

PublishedMar 3

Latest updateNov 3

Description

OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. The issue has been patched in 4.8.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDopenzeppelin/contracts4.8.0 — 4.8.2

▶npmopenzeppelin/contracts4.8.0 — 4.8.2

▶NVDopenzeppelin/contracts_upgradeable4.8.0 — 4.8.2

▶npmopenzeppelin/contracts-upgradeable4.8.0 — 4.8.2

▶CVEListV5openzeppelin/openzeppelin-contracts>= 4.8.0, < 4.8.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

OpenZeppelin Contracts contains Incorrect Calculation↗2023-03-03

▶

GHSA

OpenZeppelin Contracts contains Incorrect Calculation↗2023-03-03

▶

📄Research Papers

arXiv

FTSmartAudit: A Knowledge Distillation-Enhanced Framework for Automated Smart Contract Auditing Using Fine-Tuned LLMs↗2025-11-03

▶