nimiq-primitives CVE-2026-54542
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attacker must be positioned as a network sync peer (AC:H, PR:N); only transient availability impact with no confidentiality or integrity effect.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key_nibbles.rs:332 / :341) indexes bytes[self.bytes_len()..self.bytes_len() + other.bytes_len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).
KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put_chunk → child.key() → is_stump() → +, i.e. before proof.verify(), so no valid proof is required. As with the related child_index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).
Patches
Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.
Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
AnalysisAI
Crash-inducing out-of-bounds panic in core-rs-albatross 1.5.1 and earlier allows a malicious state-sync peer to repeatedly restart a syncing Nimiq node without supplying a valid cryptographic proof. The panic fires in KeyNibbles::Add before proof.verify() is reached, meaning an unauthenticated network peer positioned as the victim's sync source can trigger the denial-of-service with a single crafted TrieChunk message. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker control or successfully impersonate a state-sync peer from which the victim node is actively pulling state during the blockchain sync phase - this is the non-trivial prerequisite reflected in AC:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 3.7 (Low) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or impersonates a sync peer for a target Nimiq node constructs a `TrieChunk` in which a `TrieNodeChild.suffix` is individually within the `length <= 126` deserialization limit but, when concatenated with the parent key during `put_chunk` processing, pushes the combined nibble count beyond 126. When the victim node processes this message during state sync, `KeyNibbles::Add` indexes out of bounds before proof verification is reached, causing the Rust runtime to panic and terminate the node process. … |
| Remediation | Upgrade to core-rs-albatross version 1.6.0, which is the vendor-confirmed fixed release available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-5rg2-xv9j-gv5p