CVE-2026-33471
Published: 22 April 2026
Summary
CVE-2026-33471 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly counters the improper input validation (CWE-20) by requiring checks on MultiSignature.signers BitSet indices to reject out-of-range values spaced by 65536 that inflate len() but collide on u16 slots.
Mandates timely flaw remediation via patching to nimiq-block v1.3.0, which fixes the SkipBlockProof::verify quorum logic vulnerable to index casting manipulation.
Requires independent verification of the SkipBlockProof::verify security function's correct behavior to prevent acceptance of forged quorums from fewer than 2f+1 real signers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation (AV:N) of public-facing blockchain node software via crafted SkipBlockProof input validation bypass enables transmitted data manipulation (forged quorum proofs) and application-level DoS/integrity violations.
NVD Description
nimiq-block contains block primitives to be used in Nimiq's Rust implementation. `SkipBlockProof::verify` computes its quorum check using `BitSet.len()`, then iterates `BitSet` indices and casts each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0, if…
more
an attacker can get a `SkipBlockProof` verified where `MultiSignature.signers` contains out-of-range indices spaced by 65536, these indices inflate `len()` but collide onto the same in-range `u16` slot during aggregation. This makes it possible for a malicious validator with far fewer than `2f+1` real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Deeper analysisAI
CVE-2026-33471 is a vulnerability in the nimiq-block library, which contains block primitives for Nimiq's Rust implementation, specifically within the core-rs-albatross repository. The issue lies in the `SkipBlockProof::verify` function, which computes its quorum check using `BitSet.len()` before iterating over `BitSet` indices and casting each `usize` index to `u16` (`slot as u16`) for slot lookup. Prior to version 1.3.0, an attacker can supply a `SkipBlockProof` where `MultiSignature.signers` includes out-of-range indices spaced by 65536; these indices inflate the `len()` value but collide onto the same in-range `u16` slot during aggregation.
A malicious validator with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By crafting such a proof, the attacker can pass skip block proof verification using far fewer than the required `2f+1` real signer slots, simply by multiplying a single BLS signature by the collision factor. This results in high impacts to integrity (I:H) and availability (A:H) with changed scope (S:C), earning a CVSS v3.1 score of 9.6. Associated CWEs include CWE-20 (Improper Input Validation), CWE-190 (Integer Overflow or Wraparound), CWE-345 (Insufficient Verification of Data Authenticity), and CWE-1284 (Immutable Public Assets Without Hashing).
The patch addressing this vulnerability is included in core-rs-albatross version 1.3.0, as shown in the fix commit and release tag. The GitHub security advisory (GHSA-6973-8887-87ff) documents the issue, and no known workarounds are available.
Details
- CWE(s)