Nimiq Albatross CVE-2026-46545
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Impact
A remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).
A malicious peer can respond to a RequestChunk with a ResponseChunk::Chunk whose first TrieItem.key is the empty (ROOT) key. The chunk passes sorting, range, and Merkle-proof validation, but when put_raw tries to store a value at the root node, it calls TrieNode::put_value(...).unwrap(), which returns Err(RootCantHaveValue) and panics, aborting the node process. The panic fires on the first malicious chunk the victim commits; no rate limit or authentication gate caps the attack.
Impacted: any node running state sync against untrusted peers - this includes fresh nodes performing initial download and existing nodes recovering from data loss. Honest nodes never construct ROOT-keyed items, so non-syncing operation is unaffected.
Patches
See PR.
Workarounds
There is no safe in-process workaround: any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag.
Resources
- Fix commit: (link to the merged PR commit, once merged)
- Affected code:
primitives/trie/src/trie.rs-put_chunk(around line 819) andput_raw(around line 351)
AnalysisAI
Remote unauthenticated denial-of-service in the Nimiq core-rs-albatross client (nimiq-primitives crate prior to 1.5.0) lets any state-sync peer crash a syncing node by sending a ResponseChunk whose first TrieItem.key is the empty ROOT key, triggering a panic in MerkleRadixTrie::put_chunk → put_raw. No public exploit identified at time of analysis, but the issue is trivially triggerable with a single malformed chunk and affects all nodes performing initial sync or recovery against untrusted peers. EPSS data was not provided; CVSS A:H impact and zero attacker prerequisites make this a high-priority availability bug for Nimiq node operators.
Technical ContextAI
The flaw lives in the Merkle Radix Trie implementation used by Nimiq's Albatross proof-of-stake blockchain client written in Rust. During state synchronization, peers exchange TrieChunk messages containing sorted TrieItem entries with Merkle proofs. The validation pipeline checks sorting, range, and proof correctness but does not reject items whose key is KeyNibbles::ROOT (the empty key). When put_raw walks to the root node and calls TrieNode::put_value(...).unwrap(), the underlying call returns Err(RootCantHaveValue) - root nodes structurally cannot hold values - and the unwrap panics the entire node process. This is a textbook CWE-248 (Uncaught Exception) issue where a recoverable Result was treated as infallible. The patch (PR #3762, commit 0fb8766) adds an explicit is_empty() check on items[0].key at the put_chunk boundary (root is the minimum key, so the first sorted item suffices), returns InvalidChunk instead of panicking, and adds a debug_assert plus regression test.
RemediationAI
Vendor-released patch: nimiq-primitives 1.5.0 (and the corresponding core-rs-albatross v1.5.0 release). Upgrade all Nimiq node binaries and any downstream Rust projects depending on nimiq-primitives to 1.5.0 or later via the merged fix at https://github.com/nimiq/core-rs-albatross/pull/3762 and commit https://github.com/nimiq/core-rs-albatross/commit/0fb8766adea91e038af00e635a6eb92756e50172. The vendor explicitly states there is no safe in-process workaround because any peer serving state-sync data can trigger the crash and the code path is not guarded by a feature flag. Operational mitigations while patching are limited but include: deferring fresh node bootstraps and recovery operations until upgrade, pinning state-sync to a small set of trusted peers if the deployment supports peer allowlisting (trade-off: reduces decentralization and increases reliance on operator-controlled infrastructure), and supervising the process with auto-restart so repeated crashes do not silently drop the node out of the network (trade-off: hides the symptom but does not stop the attack).
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mw3q-r9wh-h2ff