Back to Research
SecuritySolana

Inside the SVM: sBPF JIT Security Pitfalls and Memory Leaks

A look into sBPF execution paths and JIT details, using real vulnerabilities to understand trust boundaries.

LimeFebruary 17, 2026
Inside the SVM: sBPF JIT Security Pitfalls and Memory Leaks

Introduction

The Solana Virtual Machine (SVM) relies on sBPF — a modified Berkeley Packet Filter — to execute on-chain programs. While the JIT compiler delivers impressive throughput, its complexity introduces subtle attack surfaces that most auditors overlook.

In this post, we dissect two classes of vulnerabilities we've encountered during audits: JIT compilation edge cases and memory lifecycle bugs that can lead to data leaks between transactions.

sBPF Execution Model

Programs deployed to Solana are compiled to sBPF bytecode. At runtime, the validator can either:

  1. Interpret the bytecode instruction-by-instruction
  2. JIT compile it to native x86-64 for faster execution

The JIT path is where things get interesting. The compiler must enforce the same safety guarantees as the interpreter — memory bounds, stack depth, instruction limits — but does so through generated machine code.

// Simplified JIT memory check pattern
fn emit_bounds_check(&mut self, addr: u64, len: u64) {
    // Must verify: addr >= region_start && addr + len <= region_end
    // Off-by-one here = arbitrary read/write
    self.emit_cmp(addr, self.region_start);
    self.emit_jb(self.error_handler);
    self.emit_cmp(addr + len, self.region_end);
    self.emit_ja(self.error_handler);  // Should be jae
}

The Memory Leak Pattern

Between CPI (Cross-Program Invocation) calls, the runtime reuses memory regions. If a program doesn't zero out sensitive data before returning, the next callee might read stale data from a previous execution context.

Impact

  • Cross-program data leakage: Private keys, seeds, or intermediate computation results left in memory
  • Determinism violations: Programs behaving differently based on memory state from prior executions
  • Exploitable oracles: Attackers crafting CPI chains to extract leaked data

Mitigation Strategies

For program developers:

  • Always zero sensitive buffers before returning from CPI calls
  • Use sol_memset rather than manual loops — the compiler may optimize away "dead" zeroing
  • Audit your stack frame usage — local variables on the stack are not automatically cleared

For validators and runtime developers:

  • Consider zeroing memory regions between CPI invocations (performance trade-off)
  • Add JIT compiler fuzzing to CI pipelines
  • Implement shadow memory tracking for debug builds

Conclusion

The SVM's JIT compiler is a remarkable piece of engineering, but complexity breeds bugs. As Solana's ecosystem grows and programs become more interconnected through CPI, these low-level issues become increasingly critical.

We'll be open-sourcing our sBPF JIT fuzzer next month. Follow our research for updates.