CVE-2025-26622: 
Python vulnerability analysis and mitigation

Vyper, a Pythonic Smart Contract Language for the EVM, has identified a vulnerability in its sqrt() builtin function (CVE-2025-26622). The vulnerability was discovered and disclosed on February 21, 2025, affecting all versions up to 0.4.0. The issue stems from the improper handling of oscillating final states in the babylonian method used for calculating square roots of decimals (GitHub Advisory).

The vulnerability occurs in the implementation of the babylonian method for square root calculation. The terminal condition of the algorithm either requires zcur == zprev or runs for 256 rounds. For certain inputs, the value of z can oscillate between N and N + epsilon, where N^2 <= x < (N + epsilon)^2. This oscillation can result in the function returning rounded up results instead of consistently rounding down (GitHub Advisory).

The impact of this vulnerability is considered low due to the rare usage of sqrt() in production environments. However, since sqrt() can be used for determining boundary conditions, the undefined rounding behavior could potentially affect applications that rely on precise square root calculations for boundary checks (GitHub Advisory).

The issue is being addressed in version 0.4.1 of Vyper, which ensures the result is consistently rounded down. Users are advised to upgrade to version 0.4.1 when it becomes available. No workarounds are currently known for this vulnerability (GitHub PR).