CVE-2026-34065
Published: 22 April 2026
Summary
CVE-2026-34065 is a high-severity Unchecked Return Value (CWE-252) vulnerability in Nimiq Nimiq Proof-Of-Stake. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the improper handling of exceptional conditions (CWE-755) by requiring graceful error handling for invalid BLS voting key decompression instead of panicking.
Requires validation of untrusted P2P inputs such as election macro block validators sets to reject invalid compressed BLS voting keys before hashing or decompression.
Ensures timely identification, testing, and deployment of patches for the specific flaw enabling DoS crashes from invalid BLS keys in nimiq-primitives.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows remote unauthenticated P2P exploitation of a public-facing node to trigger crash via malformed block announcement, directly enabling T1190 (exploit public-facing app) for DoS impact via T1499.004 (application/system exploitation).
NVD Description
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid…
more
compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Deeper analysisAI
CVE-2026-34065 is a vulnerability in the nimiq-primitives crate, which provides primitives such as blocks, accounts, and transactions for Nimiq's Rust implementation, specifically in versions prior to 1.3.0. An untrusted P2P peer can trigger a node panic by announcing an election macro block whose validators set includes an invalid compressed BLS voting key. The issue arises during hashing of the election macro header, which invokes `Validators::voting_keys()` and subsequently `validator.voting_key.uncompress().unwrap()`, panicking on invalid bytes. It is associated with CWE-252 (Unchecked Return Value) and CWE-755 (Improper Handling of Exceptional Conditions), with a CVSS v3.1 base score of 7.5.
The attack requires only network access to an affected node, with no authentication, privileges, or user interaction needed (AV:N/AC:L/PR:N/UI:N). An attacker connected via P2P can send a specially crafted election macro block announcement, causing the node to crash and resulting in a denial-of-service condition due to high availability impact (A:H), with no confidentiality or integrity effects (C:N/I:N).
Mitigation is provided by upgrading to version 1.3.0 of core-rs-albatross, which includes the patch via commit e10eaebcd7774e5da6d0ff5e88ed13503474f0ff and pull request #3662. No workarounds are available, as stated in the GitHub security advisory GHSA-7c4j-2m43-2mgh and release notes.
Details
- CWE(s)