nimiq-primitives CVE-2026-46539
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 17 cargo packages depend on nimiq-primitives (11 direct, 6 indirect)
Ecosystem-wide dependent count for version 0.2.0.
DescriptionNVD
Impact
A logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification.
Patches
The patch for this vulnerability is formally released as part of v1.4.0.
Workarounds
No Workarounds
Resources
See PR.
AnalysisAI
Cryptographic verification bypass in the nimiq-primitives Rust crate allows remote unauthenticated attackers to forge MacroBlock headers and have them accepted as proven without any hash or signature check. The flaw exists in BlockInclusionProof::is_block_proven within core-rs-albatross <= 0.2.0 of nimiq-primitives: when the interlink hop list is empty - a condition that arises legitimately at a specific epoch boundary - the function previously returned true unconditionally rather than verifying the election head actually references the target block. No public exploit identified at time of analysis; vendor-released patch is available as core-rs-albatross v1.4.0.
Technical ContextAI
The affected component is the nimiq-primitives Rust crate (pkg:rust/nimiq-primitives), part of the Nimiq Albatross proof-of-stake blockchain node (core-rs-albatross). Albatross uses election blocks to demarcate epochs, and block inclusion proofs rely on an interlink data structure - a skip-list-like mechanism - to efficiently prove chain membership. The vulnerable function BlockInclusionProof::is_block_proven in primitives/block/src/block_proof.rs calls get_interlink_hops to obtain the hop path between the election head and the target block. CWE-345 (Insufficient Verification of Data Authenticity) is the root cause: the empty-hop-list branch - valid when the target is the election block immediately preceding the current election head's epoch - previously short-circuited to return true without calling any hash comparison. The fix introduces references_block(), which checks both block.header.parent_election_hash and the interlink array for a matching target.hash() before accepting the proof, restoring proper cryptographic grounding.
RemediationAI
Upgrade core-rs-albatross to v1.4.0 or later, the vendor-confirmed patched release incorporating fix commit cc5a1d54bbbffd1ea975bd2ee87d5f7b3b30bbf1 (PR #3705). The release is available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and the advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-799f-29jm-gr6c. The vendor explicitly confirms no workarounds exist - there is no configuration option or feature flag that prevents the vulnerable code path from being triggered. Node operators who cannot immediately upgrade should consider restricting peer connectivity at the network layer to trusted nodes only, which reduces exposure surface but is not a supported mitigation, may impact protocol participation, and does not fully eliminate risk if a trusted peer is compromised.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-799f-29jm-gr6c