Block Storage Vulnerability in Nimiq's Rust Implementation
CVE-2026-40094

4.3MEDIUM

Key Information:

Vendor

Nimiq

Status
Core-rs-albatross
Vendor
CVE Published:
20 May 2026

What is CVE-2026-40094?

The nimiq-blockchain, which provides persistent block storage for Nimiq's Rust implementation, contains a vulnerability that affects its ability to handle peer contact updates. In versions prior to 1.4.0, the network-libp2p discovery system can accept signed PeerContact updates from untrusted sources without adequate validation. This flaw allows an attacker to insert a malicious PeerContact that contains an empty list of addresses. When the address book is constructed using this faulty entry, it can lead to a crash of the node or RPC task if the system attempts to access these empty addresses. The issue has been resolved in version 1.4.0, emphasizing the importance of keeping software updated to mitigate such risks.

Affected Version(s)

core-rs-albatross < 1.4.0

References

https://github.com/nimiq/core-rs-albatross/security/advis...
x_refsource_CONFIRM
https://github.com/nimiq/core-rs-albatross/pull/3715
x_refsource_MISC
https://github.com/nimiq/core-rs-albatross/releases/tag/v...
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.