Skip to main content

Core Rs Albatross CVE-2026-33184

HIGH
Integer Underflow (CWE-191)
2026-04-03 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 03, 2026 - 23:15 vuln.today
CVE Published
Apr 03, 2026 - 22:09 nvd
HIGH 7.5

DescriptionGitHub Advisory

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.

AnalysisAI

Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.

Technical ContextAI

Nimiq core-rs-albatross implements the Albatross proof-of-stake consensus algorithm for the Nimiq blockchain network. The vulnerability resides in the peer discovery handler's session lifecycle management. During the handshake phase, the handler accepts a peer_list_limit parameter from remote peers without validation and stores it directly. While the immediate HandshakeAck code path safely handles limit=0 by returning zero contacts, the code fails to validate this value before the session transitions to Established state. Once established, the periodic peer list update mechanism performs arithmetic: self.peer_list_limit.unwrap() as usize - 1. This operation exhibits classic CWE-191 (Integer Underflow/Wraparound) behavior - when limit=0, subtracting 1 wraps around to usize::MAX (18,446,744,073,709,551,615 on 64-bit systems). This massive value is then passed to the rand 0.9.2 crate's choose_multiple() function, which immediately attempts Vec::with_capacity(usize::MAX), triggering a deterministic panic due to capacity overflow. The vulnerability demonstrates improper input validation combined with unsafe arithmetic on untrusted network data in Rust's otherwise memory-safe environment.

RemediationAI

Upgrade to Nimiq core-rs-albatross version 1.3.0 or later, which includes the fix merged via pull request #3664 and committed in 8f60a2d75b74b55764ecf34bd4435f4961630595. The patch adds proper input validation to reject peer_list_limit values of zero before storing them, preventing the integer underflow condition. Organizations can download the patched release from https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. As a temporary workaround for environments unable to upgrade immediately, implement network-level filtering to restrict peer connections to trusted nodes only, or deploy monitoring to detect and automatically restart nodes experiencing unexpected panics. Review firewall rules to limit exposure of vulnerable nodes to untrusted network participants. No configuration-based mitigation exists since the vulnerability requires code-level fixes to the handshake validation logic.

Share

CVE-2026-33184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy