Denial of Service Vulnerability in Nimiq's Rust Implementation
CVE-2026-34065

7.5HIGH

Key Information:

Vendor

Nimiq

Status
Nimiq-primitives
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34065?

A denial of service vulnerability exists in Nimiq's Rust implementation within the nimiq-primitives package. Prior to version 1.3.0, the system can be forced to panic by an untrusted peer announcing an election macro block with an invalid compressed BLS voting key. This occurs during the hashing process of an election macro header which integrates the validators data. The operation attempts to call validator.voting_key.uncompress().unwrap(), leading to a panic when the bytes are invalid. The issue has been addressed in version 1.3.0; however, no workarounds are currently available.

Affected Version(s)

nimiq-primitives < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3662
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/e10eaeb...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.