Skip to main content

Nimiq Albatross CVE-2026-46545

HIGH
Uncaught Exception (CWE-248)
2026-05-21 https://github.com/nimiq/core-rs-albatross GHSA-mw3q-r9wh-h2ff
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 21, 2026 - 20:30 vuln.today
Analysis Generated
May 21, 2026 - 20:30 vuln.today

DescriptionNVD

Impact

A remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).

A malicious peer can respond to a RequestChunk with a ResponseChunk::Chunk whose first TrieItem.key is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when put_raw tries to store a value at the root node, it calls TrieNode::put_value(...).unwrap(), which returns Err(RootCantHaveValue) and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.

Impacted: any node running state sync against untrusted peers - this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.

Patches

See PR.

Workarounds

There is no safe in-process workaround: any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag.

Resources

  • Fix commit: (link to the merged PR commit, once merged)
  • Affected code: primitives/trie/src/trie.rs - put_chunk (around line 819) and put_raw (around line 351)

AnalysisAI

Remote unauthenticated denial-of-service in the Nimiq core-rs-albatross client (nimiq-primitives crate prior to 1.5.0) lets any state-sync peer crash a syncing node by sending a ResponseChunk whose first TrieItem.key is the empty ROOT key, triggering a panic in MerkleRadixTrie::put_chunk → put_raw. No public exploit identified at time of analysis, but the issue is trivially triggerable with a single malformed chunk and affects all nodes performing initial sync or recovery against untrusted peers. EPSS data was not provided; CVSS A:H impact and zero attacker prerequisites make this a high-priority availability bug for Nimiq node operators.

Technical ContextAI

The flaw lives in the Merkle Radix Trie implementation used by Nimiq's Albatross proof-of-stake blockchain client written in Rust. During state synchronization, peers exchange TrieChunk messages containing sorted TrieItem entries with Merkle proofs. The validation pipeline checks sorting, range, and proof correctness but does not reject items whose key is KeyNibbles::ROOT (the empty key). When put_raw walks to the root node and calls TrieNode::put_value(...).unwrap(), the underlying call returns Err(RootCantHaveValue) - root nodes structurally cannot hold values - and the unwrap panics the entire node process. This is a textbook CWE-248 (Uncaught Exception) issue where a recoverable Result was treated as infallible. The patch (PR #3762, commit 0fb8766) adds an explicit is_empty() check on items[0].key at the put_chunk boundary (root is the minimum key, so the first sorted item suffices), returns InvalidChunk instead of panicking, and adds a debug_assert plus regression test.

RemediationAI

Vendor-released patch: nimiq-primitives 1.5.0 (and the corresponding core-rs-albatross v1.5.0 release). Upgrade all Nimiq node binaries and any downstream Rust projects depending on nimiq-primitives to 1.5.0 or later via the merged fix at https://github.com/nimiq/core-rs-albatross/pull/3762 and commit https://github.com/nimiq/core-rs-albatross/commit/0fb8766adea91e038af00e635a6eb92756e50172. The vendor explicitly states there is no safe in-process workaround because any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag. Operational mitigations while patching are limited but include: deferring fresh node bootstraps and recovery operations until upgrade, pinning state-sync to a small set of trusted peers if the deployment supports peer allowlisting (trade-off: reduces decentralization and increases reliance on operator-controlled infrastructure), and supervising the process with auto-restart so repeated crashes do not silently drop the node out of the network (trade-off: hides the symptom but does not stop the attack).

Share

CVE-2026-46545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy