An off‑by‑one error in the signer bounds check of the ProposalSender::send function allows an unauthenticated peer to cause a validator node to panic. By sending a signed Tendermint proposal where the signer field equals the number of validators, the check mistakenly accepts the value, leading to an out‑of‑bounds array access and a crash before any signature verification occurs. The vulnerability falls under CWE‑125 (Out‑of‑Bounds Read) and CWE‑193 (Off‑by‑One Errors), resulting in a Denial of Service that prevents the affected node from participating in the network.

Nimiq’s core‑rs‑albatross is a Rust implementation of the Nimiq Proof‑of‑Stake protocol and the Albatross consensus algorithm. Versions prior to 1.3.0 are affected. The flaw is present in the core‑rs‑albatross software distributed by the Nimiq project.

The CVSS score of 7.5 indicates a high impact, but the absence of an EPSS score means the exact likelihood cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, yet it can be exploited over the network by an untrusted peer simply by broadcasting a malformed proposal. The attack does not require privileged access; the write‑time is minimal, making it feasible. As such, the risk to networks running vulnerable nodes is significant and warrants prompt remediation.