CVE-2026-34063

High

Published: 22 April 2026

Published

22 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 14.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34063 is a high-severity Reachable Assertion (CWE-617) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-24 (Fail in Known State) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-11 Error Handling good match

prevent

Requires the network protocol handler to manage errors from duplicate discovery substreams gracefully without triggering a panic and crashing the swarm task.

SI-13 Predictable Failure Prevention good match

prevent

Prevents predictable failures like crashes from repeated substream negotiations on the same libp2p connection by enforcing graceful degradation.

SC-24 Fail in Known State good match

prevent

Ensures the ConnectionHandler fails to a secure known state upon detecting duplicate inbound or outbound discovery substreams instead of panicking.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote exploitation of a public-facing P2P network service to trigger a crash via duplicate substream negotiation, directly enabling application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a…

remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a `panic!(\"Inbound already connected\")` / `panic!(\"Outbound already connected\")` path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.

Deeper analysisAI

CVE-2026-34063 affects Nimiq's network-libp2p, a Nimiq network implementation based on libp2p, in versions prior to 1.3.0. The vulnerability resides in the discovery mechanism, which uses a libp2p ConnectionHandler state machine that assumes at most one inbound and one outbound discovery substream per connection. If a remote peer opens or negotiates the discovery protocol substream a second time on the same connection, the handler triggers a panic! with messages such as "Inbound already connected" or "Outbound already connected" instead of failing closed, leading to a crash of the networking task (swarm) and taking the node's P2P networking offline until restart. This issue is classified under CWE-617 (Reachable Assertion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any remote peer capable of establishing a connection to the vulnerable node can exploit this flaw with low complexity and no privileges or user interaction required. By simply negotiating a duplicate discovery substream, the attacker triggers the panic, resulting in a denial-of-service that disables the node's P2P networking functionality until manual restart.

The patch is formally released in network-libp2p version 1.3.0, as detailed in the Nimiq core-rs-albatross GitHub commit e0d4e01994f061bf41d3c2835bc74040d3c084f5, pull request #3666, release tag v1.3.0, and security advisory GHSA-74hp-mhfx-m45h. No known workarounds are available.

Details

CWE(s): CWE-617

Affected Products

nimiq

nimiq proof-of-stake

≤ 1.3.0

CVEs Like This One

CVE-2026-33184Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-34065Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-32605Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-28402Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-35468Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-34064Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-33471Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2026-40093Same product: Nimiq Nimiq Proof-Of-Stake

CVE-2025-15530Shared CWE-617

CVE-2026-3608Shared CWE-617

References

https://github.com/nimiq/core-rs-albatross/commit/e0d4e01994f061bf41d3c2835bc74040d3c084f5
Patch · security-advisories@github.com
https://github.com/nimiq/core-rs-albatross/pull/3666
Issue Tracking, Patch · security-advisories@github.com
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
Release Notes · security-advisories@github.com
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-74hp-mhfx-m45h
Patch, Vendor Advisory · security-advisories@github.com