Skip to main content

Nimiq network-libp2p EUVDEUVD-2026-25058

| CVE-2026-34063 HIGH
Reachable Assertion (CWE-617)
2026-04-22 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 24, 2026 - 17:22 vuln.today
cvss_changed
Patch released
Apr 24, 2026 - 17:12 nvd
Patch available
Analysis Generated
Apr 23, 2026 - 06:50 vuln.today
Patch available
Apr 22, 2026 - 20:32 EUVD
EUVD ID Assigned
Apr 22, 2026 - 20:01 euvd
EUVD-2026-25058
Analysis Generated
Apr 22, 2026 - 20:01 vuln.today
CVE Published
Apr 22, 2026 - 19:40 nvd
HIGH 7.5

DescriptionGitHub Advisory

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, network-libp2p discovery uses a libp2p ConnectionHandler state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a panic!(\"Inbound already connected\") / panic!(\"Outbound already connected\") path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

AnalysisAI

Remote unauthenticated denial of service crashes Nimiq blockchain nodes by exploiting a protocol state machine flaw. Attackers can force panic conditions in the libp2p discovery handler by opening duplicate protocol substreams, immediately taking peer-to-peer networking offline until manual restart. Vendor-released patch available in version 1.3.0 with no workarounds for unpatched systems, creating urgent upgrade requirement for blockchain node operators.

Technical ContextAI

Nimiq network-libp2p implements peer discovery using libp2p's ConnectionHandler state machine architecture. The vulnerability (CWE-617: Reachable Assertion) exists in the discovery protocol's substream management logic. The handler incorrectly assumes at most one inbound and one outbound discovery substream can exist per connection simultaneously. When a remote peer negotiates the discovery protocol a second time on an existing connection, the code hits hardcoded panic assertions ('panic!("Inbound already connected")' or 'panic!("Outbound already connected")') rather than gracefully handling the duplicate substream attempt. In Rust, panic! calls cause thread/task termination, which in this case crashes the entire networking swarm task. This affects all network-libp2p versions prior to 1.3.0 (CPE: cpe:2.3:a:nimiq:network-libp2p:*:*:*:*:*:*:*:* where version < 1.3.0).

RemediationAI

Upgrade to Nimiq network-libp2p version 1.3.0 or later immediately. The patch is formally released as part of core-rs-albatross v1.3.0, available at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0. The fix implementation can be reviewed in commit e0d4e01994f061bf41d3c2835bc74040d3c084f5. No workarounds exist for unpatched versions per the vendor advisory. Node operators must perform version upgrade and service restart to remediate. For environments requiring staged deployment, prioritize internet-facing validator nodes and public peers first, as these have highest exposure to untrusted remote peers. Compensating controls are ineffective since the vulnerability exists in core protocol handling logic rather than configuration-dependent features. Network-level filtering cannot prevent exploitation as legitimate discovery protocol traffic is indistinguishable from malicious duplicate substream attempts until protocol negotiation occurs.

Share

EUVD-2026-25058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy