Skip to main content

Nimiq EUVDEUVD-2026-31197

| CVE-2026-40092 HIGH
Unchecked Return Value (CWE-252)
2026-05-15 https://github.com/nimiq/core-rs-albatross GHSA-27w2-87xv-37c6
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 17:16 vuln.today
Analysis Generated
May 15, 2026 - 17:16 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 19 cargo packages depend on nimiq-keys (15 direct, 4 indirect)

Ecosystem-wide dependent count for version 0.2.0.

DescriptionGitHub Advisory

Impact

A malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record containing a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics.

Patches

The patch for this vulnerability is formally released as part of v1.4.0.

Workarounds

No known workarounds.

Resources

See PR.

AnalysisAI

Remote denial-of-service vulnerability in Nimiq full nodes allows unauthenticated attackers to crash nodes by publishing malformed Kademlia DHT records with incorrect Ed25519 signature lengths. The vulnerability triggers a panic in the Ed25519 signature verification code when processing DHT records with signatures not exactly 64 bytes. Vendor-released patch: v1.4.0.

Technical ContextAI

The vulnerability exists in the nimiq-keys Rust crate, specifically in the TaggedPublicKey implementation for Ed25519 signatures. When verifying signatures from DHT records, the code calls Ed25519Signature::from_bytes(sig).unwrap() without first checking that the signature slice is exactly 64 bytes. The ed25519_zebra library's try_from method returns an error for non-64-byte slices, causing the unwrap() to panic. This represents a CWE-252 (Unchecked Return Value) where error handling is missing for invalid input lengths.

RemediationAI

Vendor-released patch: v1.4.0 of core-rs-albatross includes the fix that adds proper error handling for invalid signature lengths. Administrators should upgrade to v1.4.0 or later immediately. The patch modifies the Ed25519 TaggedPublicKey::verify implementation to return false instead of panicking when signature validation fails. No workarounds are available according to the vendor. Patch details are available at https://github.com/nimiq/core-rs-albatross/pull/3708 and the release at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0.

Share

EUVD-2026-31197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy