Peer-Controlled Limit Vulnerability in Nimiq Core Rust Implementation
CVE-2026-33184

7.5HIGH

Key Information:

Vendor

Nimiq

Status
Core-rs-albatross
Vendor
CVE Published:
3 April 2026

What is CVE-2026-33184?

The Nimiq core-rs-albatross implementation, based on the Albatross consensus algorithm, has a vulnerability due to its handshake process. Prior to version 1.3.0, the discovery handler inadvertently accepts a peer-controlled limit without validation. This issue allows a limit of zero during the handshake, which later causes a calculation error when the session reaches an established state. The vulnerability can lead to a capacity overflow in the random library, resulting in a panic. The issue has been resolved in version 1.3.0, emphasizing the importance of updating to the latest version to mitigate associated risks.

Affected Version(s)

core-rs-albatross < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3664
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/8f60a2d...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.