Skip to main content

nimiq-account EUVDEUVD-2026-25060

| CVE-2026-34064 MEDIUM
Integer Underflow (CWE-191)
2026-04-22 https://github.com/nimiq/core-rs-albatross GHSA-vc34-39q2-m6q3
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 07:04 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 19:31 euvd
EUVD-2026-25060
Analysis Generated
Apr 22, 2026 - 19:31 vuln.today
Patch released
Apr 22, 2026 - 19:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:18 nvd
MEDIUM 5.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 15 cargo packages depend on nimiq-account (6 direct, 9 indirect)

Ecosystem-wide dependent count for version 0.2.0.

DescriptionGitHub Advisory

Impact

VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error.

The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.

Patches

The patch for this vulnerability is included as part of v1.3.0.

Workarounds

No known workarounds.

AnalysisAI

Denial of service in Nimiq's vesting contract allows remote unauthenticated attackers to crash nodes by crafting a vesting contract with total_amount exceeding the actual contract balance, then triggering a panic during error handling when min_cap > balance. The vulnerability exploits insufficient validation of vesting contract creation data and integer underflow in the Coin::sub operation, affecting all versions before 1.3.0. Active exploitation would require ability to broadcast transactions to the Nimiq network.

Technical ContextAI

The vulnerability exists in the VestingContract::can_change_balance method within nimiq-account, a Rust crate used by Nimiq's blockchain node software. Vesting contracts are created with 32-byte encoded data that specifies a total_amount parameter, but this value is never validated against the actual contract balance (transaction value). When an attacker creates such a contract with total_amount > actual_balance and later attempts to trigger an outgoing transaction, the error handling path attempts to construct an AccountError::InsufficientFunds error by computing balance: self.balance - min_cap. Because min_cap > balance in the attacker-controlled state, the Coin::sub operation underflows and panics, crashing the node during mempool admission or block processing. This is a CWE-191 (Integer Underflow) flaw masked as error handling logic.

RemediationAI

Upgrade nimiq-account to version 1.3.0 or later, which includes the patch released via commit 4d01946f0b3d6c6e31786f91cdfb3eb902908da0 (merged in GitHub PR #3658). This patch adds validation to ensure total_amount <= actual contract balance during vesting contract creation, preventing the attacker-reachable state. For Nimiq node operators, this typically requires rebuilding the node software with the updated crate dependency and restarting the node. No workarounds are available, so patching is the only mitigation. Reference the official GitHub advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3 for update instructions specific to your deployment.

Share

EUVD-2026-25060 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy