平台
rust
组件
nimiq/core-rs-albatross
修复版本
1.3.1
CVE-2026-32605 describes a denial-of-service (DoS) vulnerability discovered in Nimiq Core Rust Albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol. This flaw allows a malicious peer to crash a validator node by exploiting a bounds check error in the proposal handling process. The vulnerability affects versions of Nimiq Core Rust Albatross prior to 1.3.0, and a fix has been released in version 1.3.0.
An attacker can leverage this vulnerability to disrupt the operation of Nimiq Core Rust Albatross validator nodes. By crafting a malicious Tendermint proposal message where the signer equals the number of validators, the attacker can trigger a panic due to an out-of-bounds index access within the validators.getvalidatorbyslotband(signer) function. This crash effectively takes the validator offline, potentially impacting the network's consensus mechanism and overall stability. The impact is particularly severe as validator nodes are critical for maintaining the integrity and functionality of the Nimiq blockchain.
This vulnerability was publicly disclosed on 2026-04-13. No known public proof-of-concept (PoC) exploits have been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of the vulnerability and the potential for disruption, it is recommended to prioritize patching.
Nimiq Core Rust Albatross validator nodes running versions prior to 1.3.0 are directly at risk. This includes individuals and organizations operating validator nodes within the Nimiq network, particularly those who haven't implemented robust network security measures or are running older, unpatched versions of the software.
• rust / server:
# Check for version < 1.3.0
cargo version• rust / supply-chain:
# Inspect Cargo.toml for dependencies and versions
cat Cargo.toml | grep nimiqdisclosure
漏洞利用状态
EPSS
0.06% (17% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-32605 is to immediately upgrade Nimiq Core Rust Albatross to version 1.3.0 or later. This version includes a corrected bounds check that prevents the out-of-bounds access. If upgrading is not immediately feasible, consider implementing network-level rate limiting on incoming Tendermint proposals to reduce the attack surface. While not a complete solution, this can help to mitigate the risk of a successful attack. After upgrading, confirm the fix by sending a crafted proposal with the signer equal to the number of validators and verifying that the node does not panic.
Actualice a la versión 1.3.0 o posterior para corregir la vulnerabilidad. Esta versión corrige la comprobación de límites incorrecta en el buffer de propuesta, evitando que un par peer malicioso pueda causar un fallo en el validador.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-32605 is a denial-of-service vulnerability in Nimiq Core Rust Albatross versions before 1.3.0, allowing attackers to crash validator nodes by sending crafted Tendermint proposals.
You are affected if you are running Nimiq Core Rust Albatross version 1.3.0 or earlier. Validator nodes are particularly vulnerable.
Upgrade to version 1.3.0 or later to resolve the vulnerability. Consider network rate limiting as a temporary mitigation if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability is publicly known and should be patched promptly.
Refer to the official Nimiq security advisories and release notes for detailed information and updates regarding CVE-2026-32605.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Cargo.lock 文件,立即知道是否受影响。