Skip to main content

nimiq-blockchain CVE-2026-34066

| EUVDEUVD-2026-25064 MEDIUM
Improper Input Validation (CWE-20)
2026-04-22 https://github.com/nimiq/core-rs-albatross GHSA-j99g-7rqw-q9jg
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 19:31 euvd
EUVD-2026-25064
Analysis Generated
Apr 22, 2026 - 19:31 vuln.today
Patch released
Apr 22, 2026 - 19:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:23 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 cargo packages depend on nimiq-blockchain (6 direct, 2 indirect)

Ecosystem-wide dependent count for version 0.2.0.

DescriptionGitHub Advisory

Impact

HistoryStore::put_historic_txns uses an assert! to enforce invariants about HistoricTransaction.block_number (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the history: &[HistoricTransaction] input passed into Blockchain::push_history_sync, and a malformed history list can violate these invariants and trigger a panic.

extend_history_sync calls this.history_store.add_to_history(..) before comparing the computed history root against the macro block header (block.history_root()), so the panic can happen before later rejection checks run.

Patches

The patch for this vulnerability is included as part of v1.3.0.

Workarounds

No known workarounds.

AnalysisAI

Denial of service in Nimiq Core's history synchronization allows remote peers to trigger a panic in HistoryStore::put_historic_txns by submitting malformed transaction history with block numbers violating invariant constraints. During history sync, the panic occurs before validation checks compare the computed history root against the macro block header, causing affected nodes to crash. The CVSS score of 5.3 reflects high availability impact but requires user interaction and high attack complexity to exploit.

Technical ContextAI

The vulnerability exists in the Nimiq blockchain consensus layer's history synchronization mechanism. The HistoryStore::put_historic_txns function uses Rust assert! macros to enforce that HistoricTransaction block numbers fall within the macro block being pushed and remain within the same epoch. During blockchain::push_history_sync, untrusted peer-supplied history data is processed by extend_history_sync, which calls history_store.add_to_history before performing cryptographic validation of the history root against the macro block header. The root cause (CWE-20: Improper Input Validation) stems from calling security-critical functions with unchecked invariant assumptions before defensive validation gates. This is a classic issue in systems programming where panics (Rust's unwind mechanism) can be weaponized to cause denial of service if triggered on adversarial input paths.

RemediationAI

Upgrade nimiq-blockchain to version 1.3.0 or later immediately. The vendor-released patch is available in v1.3.0 of nimiq/core-rs-albatross (https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0) and implements validation of HistoricTransaction invariants before calling add_to_history, preventing assertion panics on malformed peer input. The patch PR is available at https://github.com/nimiq/core-rs-albatross/pull/3656. For Rust projects depending on the nimiq-blockchain crate, update Cargo.toml to require version 1.3.0+ and run 'cargo update'. No workarounds exist; patching is the only mitigation. Validators and full nodes must upgrade their nimiq-core implementations to prevent denial of service during history sync with untrusted peers.

Share

CVE-2026-34066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy