On May 27, 2026, a research article revealed a critical vulnerability in Solana's SBPF (Solana Bytecode Format) v0, v1, and v2 programs, affecting the anza-xyz/sbpf crate at release v0.14.2. The flaw lies in the relocation processing during ELF loading: the SBPF VM's loader does not verify whether relocation writes target legitimate instruction operands, allowing writes to any offset within the ELF file. This enables an attacker to deploy a program with zeroed-out .text section (no code) that gets entirely overwritten during relocation to perform arbitrary operations, such as logging a custom message. The technique exploits R_BPF_64_32 relocation type, used for function calls, which writes a 32-bit Murmur3 hash to the immediate field. By crafting relocation entries, the attacker can overwrite the entire bytecode with desired instructions. The vulnerability affects only SBPF v0-v2; v3+ programs are immune as they skip relocation processing. This could allow malicious programs to bypass verification and execute unauthorized actions on the Solana network.

Key facts

• Vulnerability in SBPF v0-v2 relocation processing allows arbitrary bytecode writes.
• Zeroed-out .text section can be overwritten via crafted relocation entries.
• Exploits R_BPF_64_32 type to write custom instruction hashes.
• Affects anza-xyz/sbpf crate v0.14.2; v3+ programs are safe.
• Proof of concept demonstrates logging arbitrary messages on Solana.

KeyAudit data perspective