CVE-2026-28402
Published: 27 February 2026
Summary
CVE-2026-28402 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Proper validation of integrity check values is required for reliable tamper detection, directly reducing undetected modification risks.
Requires validation of integrity check values on every resolution response, directly mitigating tampered or corrupted DNS data.
Control mandates proper validation of integrity values (checksums) on prepared data, making flawed validation of those checks ineffective for attackers.
Requires use of proper integrity verification tools, reducing the chance an incorrect check value is accepted.
Requires proper validation of integrity mechanisms, directly mitigating flawed check-value handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in macro block proposal verification (missing body_root integrity binding check) allows a malicious/compromised validator proposer to submit malformed data that passes initial checks but triggers panics/crashes on receiving validators, directly enabling application exploitation for endpoint DoS (high availability impact).
NVD Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator that is elected as proposer can publish a macro block proposal where `header.body_root` does not…
more
match the actual macro body hash. The proposal can pass proposal verification because the macro proposal verification path validates the header but does not validate the binding `body_root == hash(body)`; later code expects this binding and may panic on mismatch, crashing validators. Note that the impact is only for validator nodes. The patch for this vulnerability is formally released as part of v1.2.2. The patch adds the corresponding body root verification in the proposal checks. No known workarounds are available.
Deeper analysisAI
CVE-2026-28402 affects nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm, in versions prior to 1.2.2. The vulnerability arises in macro block proposal verification, where a proposer can submit a proposal with a `header.body_root` that does not match the hash of the actual macro body. The verification process checks the header but skips validating the binding between `body_root` and `hash(body)`, allowing the malformed proposal to pass initial checks. Subsequent code assumes this binding holds true, potentially triggering a panic and crash on validator nodes when processing the mismatch. This issue is classified under CWE-354 (Improper Validation of Integrity Check Value) with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
Exploitation requires a malicious or compromised validator to be elected as proposer, granting low-privilege (PR:L) network access (AV:N) with low complexity (AC:L) and no user interaction (UI:N). The attacker publishes the tampered macro block proposal, which validators accept during proposal verification but fail to process correctly later, leading to panics and crashes. This results in a denial-of-service on affected validator nodes, with high availability impact (A:H) and low integrity impact (I:L), but no confidentiality loss (C:N). The scope remains unchanged (S:U), and impacts are limited to validator nodes only.
The patch, released in version 1.2.2, adds explicit verification of the `body_root == hash(body)` binding during proposal checks, as detailed in the GitHub security advisory (GHSA-7wh6-rmxx-ww47), pull request #3623, commit 6454c26d966858c5520f55739a30b94c17656c85, and release notes. No workarounds are available.
Details
- CWE(s)