CVE-2026-34069
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
An unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic by sending a RequestMacroChain message where the first locator hash that is on the victim’s main chain is a micro block hash (not a macro block hash).
In RequestMacroChain::handle, the handler selects the locator based only on "is on main chain", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro).
Patches
The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3660) is formally released as part of v1.3.0.
Workarounds
No known workarounds.
AnalysisAI
Denial of service in Nimiq Core consensus peer handler allows unauthenticated remote attackers to crash the RequestMacroChain message handler by sending a crafted message where the first locator hash on the victim's main chain is a micro block instead of a macro block, triggering an unhandled panic via unwrap() on BlockIsNotMacro error. Vendor-released patch: v1.3.0. EPSS score of 0.04% (12th percentile) indicates low real-world exploitation probability despite network-accessible attack vector.
Technical ContextAI
The Nimiq consensus layer implements peer-to-peer message handlers for blockchain synchronization. The RequestMacroChain handler processes messages from untrusted peers to retrieve macro blocks (consensus-critical blocks containing validator set changes) from the blockchain. The vulnerability exists in the message handler's block selection logic, which uses a locator-based mechanism to identify which blocks to return. The handler filters candidate blocks using only the criterion 'is on main chain' without validating that the selected block is actually a macro block before calling get_macro_blocks(). The Rust code uses .unwrap() on the return value, converting the recoverable BlockIsNotMacro error into a panic that crashes the entire message handler task. The underlying issue is a type confusion between block categories (micro vs macro) in the consensus state machine.
RemediationAI
Upgrade Nimiq Core to v1.3.0 or later, which includes the patch released via https://github.com/nimiq/core-rs-albatross/pull/3660 (commit ae6c1e92342e72f80fd12accbe66ee80dd6802ac). For Rust projects depending on the nimiq-consensus crate, update the dependency to version 1.3.0 or higher in Cargo.toml and rebuild. No workarounds are available; patching is the only mitigation. Node operators should prioritize this update to restore full message handler stability and prevent task-level denial of service from malicious peers.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-48m6-486p-9j8p