Core Rs Albatross
CVE-2026-33184
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.
AnalysisAI
Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.
Technical ContextAI
Nimiq core-rs-albatross implements the Albatross proof-of-stake consensus algorithm for the Nimiq blockchain network. The vulnerability resides in the peer discovery handler's session lifecycle management. During the handshake phase, the handler accepts a peer_list_limit parameter from remote peers without validation and stores it directly. While the immediate HandshakeAck code path safely handles limit=0 by returning zero contacts, the code fails to validate this value before the session transitions to Established state. Once established, the periodic peer list update mechanism performs arithmetic: self.peer_list_limit.unwrap() as usize - 1. This operation exhibits classic CWE-191 (Integer Underflow/Wraparound) behavior - when limit=0, subtracting 1 wraps around to usize::MAX (18,446,744,073,709,551,615 on 64-bit systems). This massive value is then passed to the rand 0.9.2 crate's choose_multiple() function, which immediately attempts Vec::with_capacity(usize::MAX), triggering a deterministic panic due to capacity overflow. The vulnerability demonstrates improper input validation combined with unsafe arithmetic on untrusted network data in Rust's otherwise memory-safe environment.
RemediationAI
Upgrade to Nimiq core-rs-albatross version 1.3.0 or later, which includes the fix merged via pull request #3664 and committed in 8f60a2d75b74b55764ecf34bd4435f4961630595. The patch adds proper input validation to reject peer_list_limit values of zero before storing them, preventing the integer underflow condition. Organizations can download the patched release from https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. As a temporary workaround for environments unable to upgrade immediately, implement network-level filtering to restrict peer connections to trusted nodes only, or deploy monitoring to detect and automatically restart nodes experiencing unexpected panics. Review firewall rules to limit exposure of vulnerable nodes to untrusted network participants. No configuration-based mitigation exists since the vulnerability requires code-level fixes to the handshake validation logic.
More in Core Rs Albatross
View allInteger truncation in Nimiq core-rs-albatross's skip block proof verification allows authenticated validators to forge c
Timestamp manipulation in Nimiq Core Rust implementation (nimiq-blockchain 1.3.0 and earlier) allows authenticated block
Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An
Denial of service in Nimiq Core RS Albatross prior to version 1.3.0 allows remote attackers to crash full nodes by sendi
Panic-triggered denial of service in Nimiq's core-rs-albatross (versions prior to 1.4.0) allows a network-level attacker
Same weakness CWE-191 – Integer Underflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today