argotorg · r0qs · Feb 18, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
diff --git a/Changelog.md b/Changelog.md
@@ -9,6 +9,10 @@ Compiler Features:
 * Standard JSON Interface: Introduce `settings.experimental` setting required for enabling the experimental mode.
 * Yul EVM Code Transform: Improve stack shuffler performance by fixing a BFS deduplication issue.
 
+Important Bugfixes:
+* Code Generator: Fix unchecked multiplication overflow when computing storage slot offsets during element access on arrays whose base type is large enough for the product of the index and the storage size to overflow, which could silently read from or write to incorrect storage slots.
+* Evmasm Code Generator: Fix unchecked multiplication overflow when computing the storage size of dynamic arrays during deletion, which could result in `delete` silently leaving stale data in storage.
+
 Bugfixes:
 
 

diff --git a/docs/bugs.json b/docs/bugs.json
@@ -1,4 +1,14 @@
 [
+    {
+        "uid": "SOL-2026-2",
+        "name": "UncheckedArrayStorageSizeOverflow",
+        "summary": "Operations on storage arrays whose base type is large enough for the product of the element count or index and the storage size to overflow could silently corrupt storage due to unchecked multiplication overflow.",
+        "description": "When computing storage slot offsets for array operations, the code generators multiply a value (array length or element index) by the storage size of the base type. This multiplication was performed without an overflow check in several places, so when the product exceeded ``2**256``, the result would wrap to a smaller value. This affected two operations: (1) deleting a dynamic storage array (legacy code generator only, the IR code generator already used overflow-checked arithmetic for this), where the clearing loop would process fewer slots than necessary, leaving stale data in storage; (2) accessing an element by index (both code generators), where the access would silently read from or write to an incorrect storage slot, leading to data corruption. The bug required a dynamic storage array whose base type occupies enough slots for the relevant product to overflow (e.g., ``uint256[2**255][]`` where the base type occupies ``2**255`` slots). With the fix, both code generators now revert with an arithmetic overflow panic in these situations.",
+        "link": "",
+        "introduced": "0.1.0",
+        "fixed": "0.8.35",
+        "severity": "low"
+    },
     {
         "uid": "SOL-2026-1",
         "name": "TransientStorageClearingHelperCollision",