Network Implementation Vulnerability in Nimiq's libp2p Product
CVE-2026-34063

7.5HIGH

Key Information:

Vendor

Nimiq

Status
Network-libp2p
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34063?

Nimiq's network-libp2p has a vulnerability prior to version 1.3.0 where the discovery protocol's state machine mishandles multiple inbound and outbound substream negotiations, causing a crash of the networking task. This effectively takes the node's p2p networking offline until it is restarted, providing an opportunity for remote attackers to disrupt network communications. The issue has been officially resolved in version 1.3.0, and currently, no workarounds are available.

Affected Version(s)

network-libp2p < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3666
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/e0d4e01...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.