Skip to main content

nimiq-primitives CVE-2026-46539

MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-21 https://github.com/nimiq/core-rs-albatross GHSA-799f-29jm-gr6c
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 20:34 vuln.today
Analysis Generated
May 21, 2026 - 20:34 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 cargo packages depend on nimiq-primitives (11 direct, 6 indirect)

Ecosystem-wide dependent count for version 0.2.0.

DescriptionNVD

Impact

A logic flaw in BlockInclusionProof::is_block_proven causes the function to return true without performing any cryptographic verification when get_interlink_hops yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the election head's epoch. An attacker providing transaction inclusion proofs can forge a MacroBlock header for that epoch position and have it accepted as "proven" without any hash or signature verification.

Patches

The patch for this vulnerability is formally released as part of v1.4.0.

Workarounds

No Workarounds

Resources

See PR.

AnalysisAI

Cryptographic verification bypass in the nimiq-primitives Rust crate allows remote unauthenticated attackers to forge MacroBlock headers and have them accepted as proven without any hash or signature check. The flaw exists in BlockInclusionProof::is_block_proven within core-rs-albatross <= 0.2.0 of nimiq-primitives: when the interlink hop list is empty - a condition that arises legitimately at a specific epoch boundary - the function previously returned true unconditionally rather than verifying the election head actually references the target block. No public exploit identified at time of analysis; vendor-released patch is available as core-rs-albatross v1.4.0.

Technical ContextAI

The affected component is the nimiq-primitives Rust crate (pkg:rust/nimiq-primitives), part of the Nimiq Albatross proof-of-stake blockchain node (core-rs-albatross). Albatross uses election blocks to demarcate epochs, and block inclusion proofs rely on an interlink data structure - a skip-list-like mechanism - to efficiently prove chain membership. The vulnerable function BlockInclusionProof::is_block_proven in primitives/block/src/block_proof.rs calls get_interlink_hops to obtain the hop path between the election head and the target block. CWE-345 (Insufficient Verification of Data Authenticity) is the root cause: the empty-hop-list branch - valid when the target is the election block immediately preceding the current election head's epoch - previously short-circuited to return true without calling any hash comparison. The fix introduces references_block(), which checks both block.header.parent_election_hash and the interlink array for a matching target.hash() before accepting the proof, restoring proper cryptographic grounding.

RemediationAI

Upgrade core-rs-albatross to v1.4.0 or later, the vendor-confirmed patched release incorporating fix commit cc5a1d54bbbffd1ea975bd2ee87d5f7b3b30bbf1 (PR #3705). The release is available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and the advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-799f-29jm-gr6c. The vendor explicitly confirms no workarounds exist - there is no configuration option or feature flag that prevents the vulnerable code path from being triggered. Node operators who cannot immediately upgrade should consider restricting peer connectivity at the network layer to trusted nodes only, which reduces exposure surface but is not a supported mitigation, may impact protocol participation, and does not fully eliminate risk if a trusted peer is compromised.

Share

CVE-2026-46539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy