Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.
AnalysisAI
Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An unauthenticated network attacker exploits an off-by-one bounds check error (using > instead of >=) to trigger an out-of-bounds index panic before signature verification occurs. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a straightforward denial-of-service vector against Proof-of-Stake validators in the Nimiq blockchain network, though no public exploit
Technical ContextAI
Nimiq core-rs-albatross implements the Albatross consensus algorithm, a Proof-of-Stake blockchain protocol written in Rust. The vulnerability resides in the Tendermint proposal message handling logic within ProposalSender::send. The code performs a bounds check on the signer field against validators.num_validators() using a greater-than comparison (signer > num_validators) rather than greater-than-or-equal (signer >= num_validators). When an attacker sets signer exactly equal to num_validators(), the validation passes incorrectly, allowing execution to proceed to validators.get_validator_by_slot_band(signer). Since valid validator indices are zero-based (0 to num_validators-1), this causes an out-of-bounds array access. Rust's panic-on-out-of-bounds behavior terminates the validator process immediately, before the code reaches any cryptographic signature verification that would reject the malicious message. This is classified as CWE-125 (Out-of-bounds Read), though the immediate impact is availability disruption rather than information disclosure, as the panic occurs before data exfiltration. The affected product is identified by CPE cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:*:*:*, covering all versions prior to the 1.3.0 fix.
RemediationAI
Upgrade to Nimiq core-rs-albatross version 1.3.0 or later, released January 2025, which corrects the bounds check from > to >= in ProposalSender::send. The fix is documented in GitHub pull request #3661 (https://github.com/nimiq/core-rs-albatross/pull/3661) and commit 9199364b60c7acae4219800d194bbe07d2997b8c (https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c). Release notes are available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. No workarounds are documented; patching is the only remediation. Validator operators should prioritize this update to prevent service disruption during consensus operations.
More in Core Rs Albatross
View allInteger truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge c
Timestamp manipulation in Nimiq Core Rust implementation (nimiq-blockchain 1.3.0 and earlier) allows authenticated block
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic de
Denial of service in Nimiq Core RS Albatross prior to version 1.3.0 allows remote attackers to crash full nodes by sendi
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22061