Description
Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a `panic!(\"Inbound already connected\")` / `panic!(\"Outbound already connected\")` path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service on Node's P2P Networking
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is in Nimiq's network-libp2p implementation, where the ConnectionHandler state machine mistakenly assumes there can be at most one inbound and one outbound discovery substream per connection. If a remote peer initiates the discovery protocol substream twice over the same connection, the handler fails by triggering a panic in the code paths "Inbound already connected" or "Outbound already connected". This panic brings down the networking task (swarm) and renders the node's peer‑to‑peer network unusable until a restart. The weakness is an unchecked panic condition, identified as CWE‑617.

Affected Systems

Nimiq network-libp2p versions before 1.3.0

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. An attacker can trigger the flaw from any remote peer capable of establishing a connection to the node, making it readily exploitable in open or untrusted networks. EPSS score indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA's KEV catalog. By forcing a node into an offline state, an adversary can achieve a denial‑of‑service effect until the node is manually restarted.

Generated by OpenCVE AI on April 28, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade network-libp2p to version 1.3.0 or later, which contains the fix.
  • Restart the node immediately if a crash occurs to restore p2p connectivity.
  • Set up monitoring to detect connectivity loss or panic logs so that any recurrence is promptly addressed.

Generated by OpenCVE AI on April 28, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq network-libp2p
Vendors & Products Nimiq network-libp2p

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq nimiq Proof-of-stake
CPEs cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*
Vendors & Products Nimiq
Nimiq nimiq Proof-of-stake

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a `panic!(\"Inbound already connected\")` / `panic!(\"Outbound already connected\")` path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available.
Title network-libp2p: Peer can crash the node by opening discovery protocol substream twice
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nimiq Network-libp2p Nimiq Proof-of-stake
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:54:06.421Z

Reserved: 2026-03-25T16:21:40.866Z

Link: CVE-2026-34063

cve-icon Vulnrichment

Updated: 2026-04-23T13:54:01.959Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T20:16:40.713

Modified: 2026-04-24T17:12:23.350

Link: CVE-2026-34063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses