Skip to main content

Nimiq network-libp2p CVE-2026-44505

MEDIUM
Improper Handling of Exceptional Conditions (CWE-755)
2026-06-10 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 00:45 vuln.today
Analysis Generated
Jun 10, 2026 - 00:45 vuln.today

DescriptionNVD

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0.

AnalysisAI

Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.

Technical ContextAI

Nimiq core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake blockchain protocol using the Albatross consensus algorithm. The network-libp2p crate integrates with libp2p's Kademlia DHT (kad) for peer-to-peer record storage and retrieval. Query progress is handled in handle_dht_get (network-libp2p/src/swarm.rs), which processes kad::Event callbacks and communicates results to callers via tokio oneshot channels stored in a dht_gets map. When a FoundRecord event arrives, the code invokes dht_verifier.verify() to authenticate the record. CWE-755 (Improper Handling of Exceptional Conditions) captures the root cause: the error path returned early without sending an error to the oneshot, without removing the query from dht_get_results, and without calling query.finish() on the kad query object. Because Network::dht_get called output_rx.await with no timeout, any future awaiting the result would be permanently suspended. The fix introduces an abort_dht_get helper that unconditionally cleans up both the oneshot sender and the dht_get_results bookkeeping, and wraps output_rx.await in a REQUEST_TIMEOUT using tokio::time::timeout.

Affected ProductsAI

All releases of nimiq/core-rs-albatross prior to version 1.4.0 are affected when the kad feature is compiled in. The vulnerable component is network-libp2p/src/swarm.rs within the core-rs-albatross repository. The GitHub Security Advisory GHSA-g39c-jcgg-qwvr and the v1.4.0 release tag at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 confirm the version boundary. No CPE string was provided in the input data; affected versions can be identified via Cargo.lock referencing nimiq-network-libp2p at any version below 1.4.0.

RemediationAI

Upgrade to nimiq/core-rs-albatross version 1.4.0, which introduces the abort_dht_get cleanup helper, adds a REQUEST_TIMEOUT to output_rx.await in Network::dht_get, and adds three new error variants (DhtGetInconsistentState, DhtGetVerificationFailed, DhtGetTimeout) to ensure all error paths properly signal the oneshot and release bookkeeping. The fix is confirmed in the tagged GitHub release at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and the upstream PR at https://github.com/nimiq/core-rs-albatross/pull/3716. If immediate upgrade is not feasible, a partial compensating control is to wrap all callsites of Network::dht_get with an application-level timeout (e.g., tokio::time::timeout), which prevents indefinite hangs at the cost of legitimate DHT queries also timing out under slow-peer conditions. Disabling the kad feature entirely would eliminate the attack surface but also removes all DHT-based peer discovery and record storage functionality.

Share

CVE-2026-44505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy