nimiq-keys CVE-2026-46542
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
Impact
A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs called .unwrap() on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Ed25519PublicKey construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the hosting process.
A secondary panic existed in Commitment::From<[u8; 32]>, which similarly called .unwrap() on a failing curve point decompression.
Who is affected: Browser and desktop wallet users of the web-client WASM library and the nimiq-wallet crate, when initiating a multisig operation with an attacker-supplied public key. An attacker must convince the user to include a crafted public key in a multisig setup - this is not a remotely triggerable node/validator crash.
Who is NOT affected: Validator nodes, consensus, blockchain, mempool, and networking code. There is no on-chain multisig account type; multisig is a purely client-side construct, and no validator/consensus code calls the multisig delinearization path.
Patches
See PR.
Workarounds
No code-level workaround exists short of the patch. Users of wallet applications can mitigate exposure by only performing multisig operations with public keys received from trusted sources.
Resources
- Affected code:
keys/src/multisig/mod.rs,keys/src/multisig/commitment.rs
AnalysisAI
Process crash in the nimiq-keys Rust crate (versions below 1.4.0) occurs when the Ed25519 multisig delinearization path receives a 32-byte public key that is length-valid but does not represent a valid point on the Edwards25519 curve, triggering a Rust .unwrap() panic that kills the hosting wallet process. Affected users are those running the Nimiq web-client WASM library or nimiq-wallet crate who can be persuaded by an attacker to include a crafted key in a multisig setup; validator nodes and all consensus infrastructure are explicitly out of scope. No public exploit has been identified at time of analysis, and no KEV listing exists, indicating this has not been broadly weaponized.
Technical ContextAI
The affected package is the nimiq-keys Rust crate (pkg:rust/nimiq-keys), specifically the multisig code in keys/src/multisig/mod.rs and keys/src/multisig/commitment.rs. Ed25519 uses points on the Edwards25519 elliptic curve; a 32-byte byte sequence can be syntactically well-formed (passing length checks) without being a valid compressed curve point. The original Ed25519PublicKey construction validated only byte length, not curve membership (the CWE-617 'Reachable Assertion' root cause class), so a malformed key could traverse the full call chain to Ed25519PublicKey::delinearize(), where .unwrap() on the failed curve point decompression would panic the Rust process. A secondary identical panic existed in Commitment::From<[u8; 32]>. The patch (PR #3713, commit 3bc449a) converts From to TryFrom and propagates errors as Result<_, PartialSignatureError::InvalidCurvePoint> throughout the multisig call chain, eliminating all reachable panics in this path.
RemediationAI
Upgrade nimiq-keys to version 1.4.0 or later, the confirmed vendor-released patch that resolves both the primary panic in Ed25519PublicKey::delinearize() and the secondary panic in Commitment::From<[u8; 32]> by replacing .unwrap() calls with proper Result-based error propagation. The patch is available via PR https://github.com/nimiq/core-rs-albatross/pull/3713, commit https://github.com/nimiq/core-rs-albatross/commit/3bc449a8138960c4de6bfd506bad1730c621d4de, and the tagged release at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0. No code-level workaround exists short of the patch. As a behavioral mitigation prior to patching, wallet users should restrict multisig operations exclusively to public keys obtained from trusted and independently verified sources, which reduces the attack surface by limiting the attacker's key-delivery vector but does not eliminate the underlying vulnerability.
Same weakness CWE-617 – Reachable Assertion
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h9cc-w26m-j342