Panic in Nimiq Proof-of-Stake Implementation Due to Unauthenticated Peer Issue
CVE-2026-34069

5.3MEDIUM

Key Information:

Vendor

Nimiq

Status
Core-rs-albatross
Vendor
CVE Published:
13 April 2026

What is CVE-2026-34069?

The Nimiq core-rs-albatross implementation of the Proof-of-Stake protocol is vulnerable to a panic condition when an unauthenticated peer sends a specific RequestMacroChain message. This occurs when the first locator hash on the victim's main chain is incorrectly identified as a micro block hash rather than a macro block hash. The panic results from the handler's reliance on the main chain check without verifying the type of block, leading to a failure in processing that can impact the stability of the blockchain. This issue has been addressed in version 1.3.0.

Affected Version(s)

core-rs-albatross < 1.3.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3660
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/commit/ae6c1e9...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.