CVE-2026-34064
Published: 22 April 2026
Summary
CVE-2026-34064 is a medium-severity Wrap or Wraparound (CWE-191) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces secure error handling to prevent panics from integer underflow in VestingContract::can_change_balance when constructing AccountError::InsufficientFunds.
Requires validation of vesting contract creation inputs to ensure total_amount <= transaction.value, preventing creation of malformed contracts that enable the vulnerable state.
Mandates timely flaw remediation, such as applying the v1.3.0 patch, to eliminate the integer underflow vulnerability in nimiq-account.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an integer underflow that can be triggered remotely via malformed vesting contract data and transaction broadcast, directly causing a node panic/crash. This matches Endpoint Denial of Service via Application or System Exploitation (T1499.004).
NVD Description
nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker…
more
can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Deeper analysisAI
CVE-2026-34064 is an integer underflow vulnerability (CWE-191) in the `nimiq-account` crate, part of Nimiq's Rust implementation (core-rs-albatross). Prior to version 1.3.0, the `VestingContract::can_change_balance` function incorrectly handles cases where `new_balance < min_cap` by attempting to construct an `AccountError::InsufficientFunds` error using `self.balance - min_cap`. This triggers a panic in `Coin::sub` due to underflow when `min_cap > balance`. The vulnerable state is reachable because vesting contract creation data lacks validation to ensure `total_amount <= transaction.value`, allowing an inflated `total_amount` relative to the actual contract balance. The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) and was published on 2026-04-22.
A remote, unauthenticated attacker can exploit this vulnerability by first creating a malformed vesting contract with `total_amount > transaction.value`. Subsequently broadcasting an outgoing transaction triggers the faulty balance check during mempool admission or block processing, causing the affected node to panic and crash. This results in a denial-of-service condition on the targeted node.
The vulnerability is fixed in version 1.3.0 of core-rs-albatross, as detailed in the patch commit (4d01946f0b3d6c6e31786f91cdfb3eb902908da0), pull request #3658, release notes, and security advisory (GHSA-vc34-39q2-m6q3). No workarounds are available.
Details
- CWE(s)