GHSA-429q-fhh4-r6hj
Anchor: `InterfaceAccount` allows account substitution between unexpected types
Details
### Impact Any uses of `InterfaceAccount` allows another unexpected account type to be passed, after https://github.com/solana-foundation/anchor/pull/3837 disabled discriminator checking for this type.
The bug was originally reported and fixed in https://github.com/solana-foundation/anchor/pull/4139, see that PR for more details.
### Patches https://github.com/solana-foundation/anchor/pull/4139 patched the issue and was released in `1.0.0-rc.2`. Users should upgrade to the latest released version of Anchor 1.0.
### References Bug landed in: https://github.com/solana-foundation/anchor/pull/3837 Bug fixed in: https://github.com/solana-foundation/anchor/pull/4139
Are you affected?
Enter the version of the package you're using.
Affected packages
1.0.0-rc.1 Fixed in: 1.0.0-rc.2 Upgrade anchor-lang to 1.0.0-rc.2 or newer (ecosystem crates.io).
References
- https://github.com/otter-sec/anchor/security/advisories/GHSA-429q-fhh4-r6hj [WEB]
- https://github.com/solana-foundation/anchor/security/advisories/GHSA-429q-fhh4-r6hj [WEB]
- https://github.com/solana-foundation/anchor/pull/3837 [WEB]
- https://github.com/solana-foundation/anchor/pull/4139 [WEB]
- https://github.com/solana-foundation/anchor/commit/26ef36968a62e28a1f028e7adae4806af30c747d [WEB]
- https://github.com/solana-foundation/anchor [PACKAGE]
- https://rustsec.org/advisories/RUSTSEC-2026-0146.html [WEB]