Skip to main content

Core Rs Albatross EUVDEUVD-2026-22061

| CVE-2026-32605 HIGH
Out-of-bounds Read (CWE-125)
2026-04-13 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

9
Patch released
Apr 24, 2026 - 17:11 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:57 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.3.0
Analysis Generated
Apr 15, 2026 - 12:34 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 19:30 euvd
EUVD-2026-22061
Analysis Generated
Apr 13, 2026 - 19:30 vuln.today
CVE Published
Apr 13, 2026 - 18:54 nvd
HIGH 7.5

DescriptionGitHub Advisory

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.

AnalysisAI

Nimiq core-rs-albatross validators prior to version 1.3.0 can be remotely crashed via malformed Tendermint proposals. An unauthenticated network attacker exploits an off-by-one bounds check error (using > instead of >=) to trigger an out-of-bounds index panic before signature verification occurs. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a straightforward denial-of-service vector against Proof-of-Stake validators in the Nimiq blockchain network, though no public exploit

Technical ContextAI

Nimiq core-rs-albatross implements the Albatross consensus algorithm, a Proof-of-Stake blockchain protocol written in Rust. The vulnerability resides in the Tendermint proposal message handling logic within ProposalSender::send. The code performs a bounds check on the signer field against validators.num_validators() using a greater-than comparison (signer > num_validators) rather than greater-than-or-equal (signer >= num_validators). When an attacker sets signer exactly equal to num_validators(), the validation passes incorrectly, allowing execution to proceed to validators.get_validator_by_slot_band(signer). Since valid validator indices are zero-based (0 to num_validators-1), this causes an out-of-bounds array access. Rust's panic-on-out-of-bounds behavior terminates the validator process immediately, before the code reaches any cryptographic signature verification that would reject the malicious message. This is classified as CWE-125 (Out-of-bounds Read), though the immediate impact is availability disruption rather than information disclosure, as the panic occurs before data exfiltration. The affected product is identified by CPE cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:*:*:*, covering all versions prior to the 1.3.0 fix.

RemediationAI

Upgrade to Nimiq core-rs-albatross version 1.3.0 or later, released January 2025, which corrects the bounds check from > to >= in ProposalSender::send. The fix is documented in GitHub pull request #3661 (https://github.com/nimiq/core-rs-albatross/pull/3661) and commit 9199364b60c7acae4219800d194bbe07d2997b8c (https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c). Release notes are available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. No workarounds are documented; patching is the only remediation. Validator operators should prioritize this update to prevent service disruption during consensus operations.

Share

EUVD-2026-22061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy