Approved changes feed: RSS · Atom

cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorNimiq (a6c6d398-2780-5e77-a82f-ca37478d870d)
ProductCore Rs Albatross (24b78fe4-6c1b-5189-841a-5523f30d2254)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/nimiq/core-rs-albatross purl2cpe 2026-06-01 10:12:23.280882

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-40094 vulnerable 2026-06-08 08:01:19.884891 nimiq-blockchain: network-libp2p untrusted peer can crash address book via empty peer contact addresses
MEDIUM (4.3)
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.
Published: 2026-05-20T21:27:40.862Z
Updated: 2026-05-21T12:21:16.840Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-40093 vulnerable 2026-06-08 08:01:19.883355 nimiq-blockchain is missing a wall-clock upper bound on block timestamps
HIGH (8.1)
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.
Published: 2026-04-09T20:29:46.026Z
Updated: 2026-04-13T15:38:14.634Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-40092 vulnerable 2026-06-08 08:01:19.882889 nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT
HIGH (7.5)
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The maliciously crafted record would contain a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64 in order to cause a crash. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics. This issue has been fixed in version 1.4.0.
Published: 2026-05-20T21:16:40.805Z
Updated: 2026-05-21T12:23:18.024Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35468 vulnerable 2026-06-08 07:59:14.037015 nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs without the history index
MEDIUM (5.3)
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.
Published: 2026-04-03T22:10:06.156Z
Updated: 2026-04-06T17:22:04.161Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-34069 vulnerable 2026-06-08 07:59:11.734822 nimiq-consensus panics via RequestMacroChain micro-block locator
MEDIUM (5.3)
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the first locator hash on the victim’s main chain is a micro block hash (not a macro block hash) causes said panic. The RequestMacroChain::handle handler selects the locator based only on "is on main chain", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro). This issue has been fixed in version 1.3.0.
Published: 2026-04-13T23:55:52.994Z
Updated: 2026-04-14T16:28:14.091Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-34061 vulnerable 2026-06-08 07:59:11.724317 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33184 vulnerable 2026-06-08 07:59:09.304881 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-32605 vulnerable 2026-06-08 07:57:17.742740 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-28402 vulnerable 2026-06-08 07:55:15.253457 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-47270 vulnerable 2026-06-08 07:27:09.872297 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.