Skip to main content

nimiq-primitives CVE-2026-54542

LOW
Out-of-bounds Read (CWE-125)
2026-07-16 https://github.com/nimiq/core-rs-albatross GHSA-5rg2-xv9j-gv5p
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

Attacker must be positioned as a network sync peer (AC:H, PR:N); only transient availability impact with no confidentiality or integrity effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 16, 2026 - 20:37 vuln.today
Analysis Generated
Jul 16, 2026 - 20:37 vuln.today

DescriptionGitHub Advisory

Impact

A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key_nibbles.rs:332 / :341) indexes bytes[self.bytes_len()..self.bytes_len() + other.bytes_len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).

KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put_chunkchild.key()is_stump()+, i.e. before proof.verify(), so no valid proof is required. As with the related child_index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).

Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).

Patches

Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.

Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

AnalysisAI

Crash-inducing out-of-bounds panic in core-rs-albatross 1.5.1 and earlier allows a malicious state-sync peer to repeatedly restart a syncing Nimiq node without supplying a valid cryptographic proof. The panic fires in KeyNibbles::Add before proof.verify() is reached, meaning an unauthenticated network peer positioned as the victim's sync source can trigger the denial-of-service with a single crafted TrieChunk message. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as victim's active sync peer
Delivery
Craft TrieChunk with individually-valid but combinatorially-oversized TrieNodeChild suffix
Exploit
Deliver malicious TrieChunk during state-sync protocol
Execution
Trigger out-of-bounds slice panic in KeyNibbles::Add before proof verification
Persist
Crash victim node process
Impact
Node auto-restarts and re-syncs

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker control or successfully impersonate a state-sync peer from which the victim node is actively pulling state during the blockchain sync phase - this is the non-trivial prerequisite reflected in AC:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 3.7 (Low) accurately reflects the constrained real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or impersonates a sync peer for a target Nimiq node constructs a `TrieChunk` in which a `TrieNodeChild.suffix` is individually within the `length <= 126` deserialization limit but, when concatenated with the parent key during `put_chunk` processing, pushes the combined nibble count beyond 126. When the victim node processes this message during state sync, `KeyNibbles::Add` indexes out of bounds before proof verification is reached, causing the Rust runtime to panic and terminate the node process. …
Remediation Upgrade to core-rs-albatross version 1.6.0, which is the vendor-confirmed fixed release available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.6.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54542 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy