CVE-2026-33184
Published: 03 April 2026
Summary
CVE-2026-33184 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of peer-controlled inputs such as the limit value during handshake to reject malicious values like zero that trigger integer overflow and panic.
Mandates secure error handling for integer operations and unwraps to prevent process crashes from capacity overflow panics during peer list updates.
Ensures timely identification, testing, and deployment of patches like version 1.3.0 to remediate the specific integer overflow flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing P2P discovery handler via crafted handshake triggers integer overflow panic, enabling application-layer DoS on the target node.
NVD Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit…
more
= 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.
Deeper analysisAI
CVE-2026-33184 is an integer overflow vulnerability (CWE-191) in nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions prior to 1.3.0, the discovery handler accepts a peer-controlled limit value during the handshake process and stores it unchanged. This leads to a panic during periodic peer list updates in established sessions when the limit is set to zero, as self.peer_list_limit.unwrap() cast to usize minus one wraps around to usize::MAX, causing rand 0.9.2's choose_multiple() to attempt Vec::with_capacity() with an overflowing value.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption. A remote, unauthenticated attacker can exploit it by initiating a handshake with a peer-controlled limit of zero during discovery. The handshake acknowledgment path initially appears benign by returning zero contacts, allowing the session to reach the Established state. Subsequent periodic updates then trigger the overflow and deterministic panic, resulting in denial of service via process crash on the targeted node.
The issue has been addressed in version 1.3.0 of nimiq/core-rs-albatross. Mitigation involves upgrading to the patched release, as detailed in the GitHub security advisory (GHSA-5rm9-893q-vmhm), the fix commit (8f60a2d75b74b55764ecf34bd4435f4961630595), pull request #3664, and the v1.3.0 release notes.
Details
- CWE(s)