Canonical
CVE-2026-34061
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks. The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This issue has been patched in version 1.3.0.
AnalysisAI
Elected validator proposers in nimiq/core-rs-albatross before version 1.3.0 can submit election macro blocks with malformed interlink headers that bypass proposal validation but are rejected during block finalization, causing denial of service by halting consensus after Tendermint voting completes. The vulnerability requires high privileges (validator proposer role) and results in network availability impact but no data compromise, affecting the Nimiq Proof-of-Stake network's consensus reliability.
Technical ContextAI
The Nimiq core-rs-albatross is a Rust implementation of the Albatross consensus algorithm, which operates within the Tendermint Byzantine Fault Tolerant (BFT) consensus framework. The vulnerability exists in the election macro block validation logic: the verify_macro_block_proposal() function validates the block header's structural integrity, successor relationships, proposer authorization, body root, and state transitions, but critically omits validation of the header.interlink field binding for election blocks. The interlink serves as a historical chain of block references used for Proof-of-Work-style skip-list validation and consensus finality. When a malformed interlink passes proposal validation, validators sign and prevote/precommit the block hash in Tendermint. Only after consensus decides the block does verify_block() during push reject it with InvalidInterlink, creating a window where consensus has committed to a block that cannot be applied. This represents a logic error (CWE-345: Insufficient Verification of Data Authenticity) in cryptographic validation sequencing.
RemediationAI
Vendor-released patch: upgrade nimiq/core-rs-albatross to version 1.3.0 or later. The fix is implemented in commit 9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7 (accessible via pull request https://github.com/nimiq/core-rs-albatross/pull/3668) and is officially released at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. Validators and node operators should prioritize upgrading to 1.3.0 immediately to restore interlink validation in proposal verification. No workarounds are documented; the patch is required to restore correct consensus behavior. Consult the GitHub security advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5 for operational guidance during upgrade.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today