Skip to main content

Core Rs Albatross CVE-2026-40093

| EUVDEUVD-2026-21146 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-09 GitHub_M GHSA-49xc-52mp-cc9j
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 17:22 vuln.today
cvss_changed
EUVD ID Assigned
Apr 09, 2026 - 21:00 euvd
EUVD-2026-21146
Analysis Generated
Apr 09, 2026 - 21:00 vuln.today
CVE Published
Apr 09, 2026 - 20:29 nvd
HIGH 8.1

DescriptionGitHub Advisory

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.

AnalysisAI

Timestamp manipulation in Nimiq Core Rust implementation (nimiq-blockchain 1.3.0 and earlier) allows authenticated block-producing validators to set arbitrarily future block timestamps, bypassing validation constraints and directly inflating the blockchain's monetary supply beyond the intended emission schedule through compromised Policy::supply_at() and batch_delay() reward calculations. The vulnerability exploits absent upper-bound wall-clock validation in non-skip and skip block timestamp verification logic, enabling integrity compromise of the blockchain's economic model. No public exploit identified at time of analysis.

Technical ContextAI

Root cause is CWE-1284 (improper input validation) in block timestamp validation logic. Validation enforces timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but omits maximum bound checking against system wall clock. Malicious validators exploit this to inject future-dated timestamps, poisoning reward computation functions in blockchain/src/reward.rs module.

RemediationAI

Vendor-released security advisory available at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-49xc-52mp-cc9j. Upgrade to patched version specified in GitHub advisory immediately. No patched version number independently confirmed in available data; consult vendor advisory for exact fixed release. As interim mitigation, restrict block-producing validator privileges to trusted entities only and implement monitoring for abnormal timestamp deltas between consecutive blocks exceeding expected network drift thresholds. Organizations running validator nodes should audit historical block timestamps for anomalies indicative of prior exploitation and validate total supply calculations against canonical emission schedule. No effective workaround exists without source-level validation enforcement; deployment of vendor patch is mandatory for production blockchain networks.

Share

CVE-2026-40093 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy