Nimiq network-libp2p CVE-2026-44505
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0.
AnalysisAI
Indefinite future hang (denial of service) in Nimiq core-rs-albatross's network-libp2p component allows any remote peer to cause DHT get-record callers to block forever by returning a record that fails signature or structural verification. The root cause is improper error handling in handle_dht_get (swarm.rs): on verifier failure or subsequent inconsistent-state transitions, the oneshot channel used by Network::dht_get is never completed and per-query bookkeeping is never cleaned up, leaving the awaiting caller suspended without a timeout. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV. The issue is patched in version 1.4.0.
Technical ContextAI
Nimiq core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake blockchain protocol using the Albatross consensus algorithm. The network-libp2p crate integrates with libp2p's Kademlia DHT (kad) for peer-to-peer record storage and retrieval. Query progress is handled in handle_dht_get (network-libp2p/src/swarm.rs), which processes kad::Event callbacks and communicates results to callers via tokio oneshot channels stored in a dht_gets map. When a FoundRecord event arrives, the code invokes dht_verifier.verify() to authenticate the record. CWE-755 (Improper Handling of Exceptional Conditions) captures the root cause: the error path returned early without sending an error to the oneshot, without removing the query from dht_get_results, and without calling query.finish() on the kad query object. Because Network::dht_get called output_rx.await with no timeout, any future awaiting the result would be permanently suspended. The fix introduces an abort_dht_get helper that unconditionally cleans up both the oneshot sender and the dht_get_results bookkeeping, and wraps output_rx.await in a REQUEST_TIMEOUT using tokio::time::timeout.
Affected ProductsAI
All releases of nimiq/core-rs-albatross prior to version 1.4.0 are affected when the kad feature is compiled in. The vulnerable component is network-libp2p/src/swarm.rs within the core-rs-albatross repository. The GitHub Security Advisory GHSA-g39c-jcgg-qwvr and the v1.4.0 release tag at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 confirm the version boundary. No CPE string was provided in the input data; affected versions can be identified via Cargo.lock referencing nimiq-network-libp2p at any version below 1.4.0.
RemediationAI
Upgrade to nimiq/core-rs-albatross version 1.4.0, which introduces the abort_dht_get cleanup helper, adds a REQUEST_TIMEOUT to output_rx.await in Network::dht_get, and adds three new error variants (DhtGetInconsistentState, DhtGetVerificationFailed, DhtGetTimeout) to ensure all error paths properly signal the oneshot and release bookkeeping. The fix is confirmed in the tagged GitHub release at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and the upstream PR at https://github.com/nimiq/core-rs-albatross/pull/3716. If immediate upgrade is not feasible, a partial compensating control is to wrap all callsites of Network::dht_get with an application-level timeout (e.g., tokio::time::timeout), which prevents indefinite hangs at the cost of legitimate DHT queries also timing out under slow-peer conditions. Disabling the kad feature entirely would eliminate the attack surface but also removes all DHT-based peer discovery and record storage functionality.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today