Skip to main content

CVE-2026-34069

MEDIUM
Reachable Assertion (CWE-617)
2026-04-13 https://github.com/nimiq/core-rs-albatross GHSA-48m6-486p-9j8p
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:47 vuln.today
Analysis Generated
Apr 13, 2026 - 16:45 vuln.today
Patch released
Apr 13, 2026 - 16:45 nvd
Patch available
CVE Published
Apr 13, 2026 - 16:36 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

An unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic by sending a RequestMacroChain message where the first locator hash that is on the victim’s main chain is a micro block hash (not a macro block hash).

In RequestMacroChain::handle, the handler selects the locator based only on "is on main chain", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro).

Patches

The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3660) is formally released as part of v1.3.0.

Workarounds

No known workarounds.

AnalysisAI

Denial of service in Nimiq Core consensus peer handler allows unauthenticated remote attackers to crash the RequestMacroChain message handler by sending a crafted message where the first locator hash on the victim's main chain is a micro block instead of a macro block, triggering an unhandled panic via unwrap() on BlockIsNotMacro error. Vendor-released patch: v1.3.0. EPSS score of 0.04% (12th percentile) indicates low real-world exploitation probability despite network-accessible attack vector.

Technical ContextAI

The Nimiq consensus layer implements peer-to-peer message handlers for blockchain synchronization. The RequestMacroChain handler processes messages from untrusted peers to retrieve macro blocks (consensus-critical blocks containing validator set changes) from the blockchain. The vulnerability exists in the message handler's block selection logic, which uses a locator-based mechanism to identify which blocks to return. The handler filters candidate blocks using only the criterion 'is on main chain' without validating that the selected block is actually a macro block before calling get_macro_blocks(). The Rust code uses .unwrap() on the return value, converting the recoverable BlockIsNotMacro error into a panic that crashes the entire message handler task. The underlying issue is a type confusion between block categories (micro vs macro) in the consensus state machine.

RemediationAI

Upgrade Nimiq Core to v1.3.0 or later, which includes the patch released via https://github.com/nimiq/core-rs-albatross/pull/3660 (commit ae6c1e92342e72f80fd12accbe66ee80dd6802ac). For Rust projects depending on the nimiq-consensus crate, update the dependency to version 1.3.0 or higher in Cargo.toml and rebuild. No workarounds are available; patching is the only mitigation. Node operators should prioritize this update to restore full message handler stability and prevent task-level denial of service from malicious peers.

Share

CVE-2026-34069 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy