Skip to main content

Nimiq Core-rs-Albatross CVE-2026-34067

| EUVDEUVD-2026-25084 LOW
Reachable Assertion (CWE-617)
2026-04-22 https://github.com/nimiq/core-rs-albatross GHSA-264v-m8fm-76jm
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:01 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 19:31 euvd
EUVD-2026-25084
Analysis Generated
Apr 22, 2026 - 19:31 vuln.today
Patch released
Apr 22, 2026 - 19:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:20 nvd
LOW 3.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 16 cargo packages depend on nimiq-transaction (10 direct, 6 indirect)

Ecosystem-wide dependent count for version 0.2.0.

DescriptionGitHub Advisory

Impact

HistoryTreeProof::verify panics on a malformed proof where history.len() != positions.len() due to assert_eq!(history.len(), positions.len()).

The proof object is derived from untrusted p2p responses (ResponseTransactionsProof.proof) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch.

Patches

The patch for this vulnerability is included as part of v1.3.0.

Workarounds

No known workarounds know.

AnalysisAI

Nimiq Core-rs-Albatross prior to v1.3.0 crashes when processing malformed transaction inclusion proofs with mismatched history and positions arrays. A remote attacker can trigger a denial of service by sending a crafted ResponseTransactionsProof with unequal array lengths, causing the HistoryTreeProof::verify function to panic. The vulnerability requires high attack complexity and user interaction, limiting real-world impact despite network accessibility.

Technical ContextAI

The vulnerability resides in the HistoryTreeProof::verify function within the nimiq-transaction crate, a Rust-based blockchain component. The function validates transaction inclusion proofs derived from untrusted peer-to-peer responses (ResponseTransactionsProof.proof). The root cause is an unguarded assert_eq! macro comparing history.len() and positions.len() without bounds checking or graceful error handling, violating CWE-617 (Reachable Assertion). Proof structures are deserialized from network messages before validation, exposing the assertion to attacker control. The Rust assert! macro causes a panic unwind rather than returning an error, terminating the validator process.

RemediationAI

Upgrade to Nimiq Core-rs-Albatross v1.3.0 or later, which includes the upstream fix committed at 6ff0800e8e031363e787c827d8d033e5694e4e6a (merged via pull request #3659). This patch replaces the unguarded assert_eq! with proper bounds validation that returns a validation error instead of panicking. For organizations unable to upgrade immediately, implement input validation at the network layer to reject ResponseTransactionsProof messages where proof array lengths are obviously mismatched before passing to HistoryTreeProof::verify. Be aware that this workaround requires network-level introspection and may not catch all proof structures; patching is the recommended path. See GitHub advisory GHSA-264v-m8fm-76jm and the v1.3.0 release notes for deployment guidance.

Share

CVE-2026-34067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy