CVE-2026-32605
Published: 13 April 2026
Summary
CVE-2026-32605 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the off-by-one bounds check flaw in ProposalSender::send that allows crafted Tendermint proposals to trigger an out-of-bounds panic and crash the validator.
Enforces proper validation of the signer index in incoming Tendermint proposal messages to block out-of-bounds access before reaching the vulnerable get_validator_by_slot_band call.
Mitigates denial-of-service impacts from untrusted peers sending crafted messages that exploit the bounds check to crash validator nodes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Off-by-one bounds check flaw in Tendermint proposal handling allows remote unauthenticated peer to send crafted message triggering panic/DoS before signature verification, directly enabling T1499.004 Application or System Exploitation.
NVD Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses…
more
> instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.
Deeper analysisAI
CVE-2026-32605 is a vulnerability in nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions prior to 1.3.0, the ProposalSender::send function performs an incorrect bounds check using greater-than (>) instead of greater-than-or-equal-to (>=) for the signer index in signed Tendermint proposal messages. This flaw allows a message where the signer equals validators.num_validators() to pass the check, leading to an out-of-bounds index access in validators.get_validator_by_slot_band(signer), which triggers a panic before any signature verification occurs. The vulnerability is rated 7.5 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-125 (Out-of-bounds Read) and CWE-193 (Off-by-one Error).
An untrusted peer on the network can exploit this issue with no required privileges by publishing a crafted signed Tendermint proposal message setting the signer to exactly validators.num_validators(). This bypasses the faulty bounds check, reaches the panic-inducing get_validator_by_slot_band call, and crashes the validator node, resulting in a denial-of-service condition.
The vulnerability has been fixed in version 1.3.0 of nimiq/core-rs-albatross. Mitigation involves updating to this version or later. Key resources include the fixing commit at https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c, pull request https://github.com/nimiq/core-rs-albatross/pull/3661, release notes at https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0, and the GitHub security advisory at https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv.
Details
- CWE(s)