Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Remote Crash)
Action: Apply Patch
AI Analysis

Impact

An off‑by‑one error in the signer bounds check of the ProposalSender::send function allows an unauthenticated peer to cause a validator node to panic. By sending a signed Tendermint proposal where the signer field equals the number of validators, the check mistakenly accepts the value, leading to an out‑of‑bounds array access and a crash before any signature verification occurs. The vulnerability falls under CWE‑125 (Out‑of‑Bounds Read) and CWE‑193 (Off‑by‑One Errors), resulting in a Denial of Service that prevents the affected node from participating in the network.

Affected Systems

Nimiq’s core‑rs‑albatross is a Rust implementation of the Nimiq Proof‑of‑Stake protocol and the Albatross consensus algorithm. Versions prior to 1.3.0 are affected. The flaw is present in the core‑rs‑albatross software distributed by the Nimiq project.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact, but the absence of an EPSS score means the exact likelihood cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, yet it can be exploited over the network by an untrusted peer simply by broadcasting a malformed proposal. The attack does not require privileged access; the write‑time is minimal, making it feasible. As such, the risk to networks running vulnerable nodes is significant and warrants prompt remediation.

Generated by OpenCVE AI on April 13, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nimiq core‑rs‑albatross to version 1.3.0 or newer

Generated by OpenCVE AI on April 13, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq core-rs-albatross
Vendors & Products Nimiq
Nimiq core-rs-albatross

Mon, 13 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.
Title Nimiq: Remote crash via off-by-one signer bounds check in proposal buffer
Weaknesses CWE-125
CWE-193
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nimiq Core-rs-albatross
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T18:54:58.542Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32605

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-13T20:16:33.787

Modified: 2026-04-13T20:16:33.787

Link: CVE-2026-32605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:33:32Z

Weaknesses