Transaction Primitive Vulnerability in Nimiq's Rust Implementation
CVE-2026-34067

3.1LOW

Key Information:

Vendor

Nimiq

Status
Nimiq-transaction
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34067?

The Nimiq transaction primitive, used in Nimiq's Rust implementation, contains a vulnerability that may lead to crashes under certain conditions. Specifically, the HistoryTreeProof::verify function can panic when it encounters a malformed proof, where the lengths of the history and positions do not match. This vulnerability arises from untrusted p2p responses, allowing a malicious peer to exploit this issue by sending a crafted inclusion proof. The defect was addressed in version 1.3.0, eliminating the panic by ensuring proper validation of input proofs.

Affected Version(s)

nimiq-transaction < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3659
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/6ff0800...
x_refsource_MISC

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.