Skip to main content

Nimiq core-rs-albatross CVE-2026-46541

HIGH
Improper Check for Unusual or Exceptional Conditions (CWE-754)
2026-06-10 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 00:36 vuln.today
Analysis Generated
Jun 10, 2026 - 00:36 vuln.today

DescriptionNVD

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.

AnalysisAI

Denial-of-service in Nimiq core-rs-albatross (Rust implementation of the Albatross Proof-of-Stake consensus) prior to version 1.4.0 allows a malicious DHT node to suppress all valid DHT GET responses for a query by being the first to reply with an unverifiable record. Because the DhtResults accumulator is only created after the first record passes verification, a single bad first response causes subsequent valid records to be discarded as 'DHT inconsistent state', breaking peer/validator discovery. No public exploit identified at time of analysis, but the patch and full root cause are public in PR #3707.

Technical ContextAI

Nimiq's networking layer is built on libp2p with Kademlia (kad) for DHT-based discovery of validator records and peer addresses. In network-libp2p/src/swarm.rs the handle_dht_get() function processes incoming DHT GET step events: it was designed to lazily create a per-query DhtResults accumulator (count, best_value, outdated_values) only when step.count == 1 AND the first record verified successfully. The CWE-754 (Improper Check for Unusual or Exceptional Conditions) root cause is that the initialization is conditional on first-record verification rather than on first-record arrival, so when an attacker-supplied first record fails verification the HashMap entry is never inserted, and every later step.count > 1 lookup falls into the 'inconsistent state' error branch and is silently dropped. The fix refactors the logic into a store_dht_record() helper that calls HashMap::entry().or_insert_with(), ensuring the accumulator is created on the first verified record regardless of ordering, and introduces a new NetworkError::DhtNoValidRecord that is propagated when a query genuinely terminates with no verified record.

Affected ProductsAI

Nimiq core-rs-albatross (the Rust implementation of the Nimiq Proof-of-Stake protocol using the Albatross consensus algorithm) at all versions prior to 1.4.0 is affected, specifically the network-libp2p crate's handle_dht_get path when built with the 'kad' feature enabled (the default for validator and full-node deployments). No CPE strings were provided in the input. The vendor advisory is GHSA-ccqv-2c9q-mqw5 at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-ccqv-2c9q-mqw5 and the fixed release is tagged at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0.

RemediationAI

Vendor-released patch: upgrade core-rs-albatross to version 1.4.0 or later, which is available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and ships the fix from PR https://github.com/nimiq/core-rs-albatross/pull/3707; the GitHub Security Advisory is GHSA-ccqv-2c9q-mqw5. No vendor-documented workaround exists for unpatched nodes, but operators who cannot upgrade immediately can reduce exposure by disabling the 'kad' Cargo feature where the deployment role permits (this removes Kademlia DHT lookups entirely and will break validator discovery, so it is only viable for nodes that do not rely on DHT-based discovery) or by configuring a restricted, trusted bootstrap/peer set so the probability of a malicious node winning the first-response race is reduced (does not eliminate the bug, only reduces hit rate, and degrades the openness of the P2P topology). Monitoring logs for the 'DHT inconsistent state' message provides a low-cost detection signal for the pre-patch behaviour.

Share

CVE-2026-46541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy