Platform
rust
Component
nimiq/core-rs-albatross
Fixed in
1.3.1
CVE-2026-32605 describes a denial-of-service (DoS) vulnerability discovered in Nimiq Core Rust Albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol. This flaw allows a malicious peer to crash a validator node by exploiting a bounds check error in the proposal handling process. The vulnerability affects versions of Nimiq Core Rust Albatross prior to 1.3.0, and a fix has been released in version 1.3.0.
An attacker can leverage this vulnerability to disrupt the operation of Nimiq Core Rust Albatross validator nodes. By crafting a malicious Tendermint proposal message where the signer equals the number of validators, the attacker can trigger a panic due to an out-of-bounds index access within the validators.getvalidatorbyslotband(signer) function. This crash effectively takes the validator offline, potentially impacting the network's consensus mechanism and overall stability. The impact is particularly severe as validator nodes are critical for maintaining the integrity and functionality of the Nimiq blockchain.
This vulnerability was publicly disclosed on 2026-04-13. No known public proof-of-concept (PoC) exploits have been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the potential for disruption, it is recommended to prioritize patching.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32605 is to immediately upgrade Nimiq Core Rust Albatross to version 1.3.0 or later. This version includes a corrected bounds check that prevents the out-of-bounds access. If upgrading is not immediately feasible, consider implementing network-level rate limiting on incoming Tendermint proposals to reduce the attack surface. While not a complete solution, this can help to mitigate the risk of a successful attack. After upgrading, confirm the fix by sending a crafted proposal with the signer equal to the number of validators and verifying that the node does not panic.
Update to version 1.3.0 or later to fix the vulnerability. This version corrects the incorrect bounds check in the proposal buffer, preventing a malicious peer from causing a validator crash.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32605 is a denial-of-service vulnerability in Nimiq Core Rust Albatross versions before 1.3.0, allowing attackers to crash validator nodes by sending crafted Tendermint proposals.
You are affected if you are running Nimiq Core Rust Albatross version 1.3.0 or earlier. Validator nodes are particularly vulnerable.
Upgrade to version 1.3.0 or later to resolve the vulnerability. Consider network rate limiting as a temporary mitigation if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be patched promptly.
Refer to the official Nimiq security advisories and release notes for detailed information and updates regarding CVE-2026-32605.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Cargo.lock file and we'll tell you instantly if you're affected.