Nimiq core-rs-albatross CVE-2026-46541
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.
AnalysisAI
Denial-of-service in Nimiq core-rs-albatross (Rust implementation of the Albatross Proof-of-Stake consensus) prior to version 1.4.0 allows a malicious DHT node to suppress all valid DHT GET responses for a query by being the first to reply with an unverifiable record. Because the DhtResults accumulator is only created after the first record passes verification, a single bad first response causes subsequent valid records to be discarded as 'DHT inconsistent state', breaking peer/validator discovery. No public exploit identified at time of analysis, but the patch and full root cause are public in PR #3707.
Technical ContextAI
Nimiq's networking layer is built on libp2p with Kademlia (kad) for DHT-based discovery of validator records and peer addresses. In network-libp2p/src/swarm.rs the handle_dht_get() function processes incoming DHT GET step events: it was designed to lazily create a per-query DhtResults accumulator (count, best_value, outdated_values) only when step.count == 1 AND the first record verified successfully. The CWE-754 (Improper Check for Unusual or Exceptional Conditions) root cause is that the initialization is conditional on first-record verification rather than on first-record arrival, so when an attacker-supplied first record fails verification the HashMap entry is never inserted, and every later step.count > 1 lookup falls into the 'inconsistent state' error branch and is silently dropped. The fix refactors the logic into a store_dht_record() helper that calls HashMap::entry().or_insert_with(), ensuring the accumulator is created on the first verified record regardless of ordering, and introduces a new NetworkError::DhtNoValidRecord that is propagated when a query genuinely terminates with no verified record.
Affected ProductsAI
Nimiq core-rs-albatross (the Rust implementation of the Nimiq Proof-of-Stake protocol using the Albatross consensus algorithm) at all versions prior to 1.4.0 is affected, specifically the network-libp2p crate's handle_dht_get path when built with the 'kad' feature enabled (the default for validator and full-node deployments). No CPE strings were provided in the input. The vendor advisory is GHSA-ccqv-2c9q-mqw5 at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-ccqv-2c9q-mqw5 and the fixed release is tagged at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0.
RemediationAI
Vendor-released patch: upgrade core-rs-albatross to version 1.4.0 or later, which is available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 and ships the fix from PR https://github.com/nimiq/core-rs-albatross/pull/3707; the GitHub Security Advisory is GHSA-ccqv-2c9q-mqw5. No vendor-documented workaround exists for unpatched nodes, but operators who cannot upgrade immediately can reduce exposure by disabling the 'kad' Cargo feature where the deployment role permits (this removes Kademlia DHT lookups entirely and will break validator discovery, so it is only viable for nodes that do not rely on DHT-based discovery) or by configuring a restricted, trusted bootstrap/peer set so the probability of a malicious node winning the first-response race is reduced (does not eliminate the bug, only reduces hit rate, and degrades the openness of the P2P topology). Monitoring logs for the 'DHT inconsistent state' message provides a low-cost detection signal for the pre-patch behaviour.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today