Skip to main content

nimiq-blockchain CVE-2026-46543

MEDIUM
Reachable Assertion (CWE-617)
2026-05-21 https://github.com/nimiq/core-rs-albatross GHSA-vghx-352f-93jm
Denial Of Service
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 20:33 vuln.today
Analysis Generated
May 21, 2026 - 20:33 vuln.today

DescriptionNVD

Impact

A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with "No macro blocks before genesis block".

Patches

The patch for this vulnerability is formally released as part of v1.5.0.

Workarounds

No Workaround, although requesting the genesis batch set is not used during normal operation.

Resources

See PR.

AnalysisAI

Unauthenticated remote crash of Nimiq full nodes running nimiq-blockchain versions before 1.5.0 is achievable by any network peer sending a single crafted RequestBatchSet message referencing the genesis block hash. The node's batch set handler iterates backward through macro blocks without a lower-bound guard, causing a Rust panic in Policy::macro_block_before when iteration reaches genesis, immediately terminating the process. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-46543 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy