Description
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (node crash)
Action: Patch Now
AI Analysis

Impact

Untrusted peers can send a malicious election macro block that contains an invalid compressed BLS voting key. When the node deserializes the block, it attempts to uncompress the key and panics on invalid data, causing the node to crash. The crash is a local denial of service that brings down the node’s operation but does not expose data or allow code execution.

Affected Systems

The vulnerability is present in the nimiq‑primitives library, used by Nimiq’s Rust implementation, in all releases prior to 1.3.0. Users of any earlier version of nimiq‑primitives should identify their build against the library and determine whether it contains the unpatched code path.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, but the EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low risk of widespread exploitation. The likely attack vector is via the network: a malicious or compromised peer in the peer‑to‑peer network can inject a forged election macro block. Successful exploitation requires connectivity to the target node and the ability to send a crafted block, after which the node will terminate due to the panic.

Generated by OpenCVE AI on April 28, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nimiq-primitives to version 1.3.0 or later and rebuild the node.
  • Restart the node to load the updated library.
  • If an upgrade cannot be performed immediately, temporarily block untrusted P2P connections by configuring a firewall or setting a node peer whitelist to mitigate risk until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7c4j-2m43-2mgh nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq nimiq-primitives
Vendors & Products Nimiq nimiq-primitives

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq nimiq Proof-of-stake
CPEs cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*
Vendors & Products Nimiq
Nimiq nimiq Proof-of-stake

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Title nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
Weaknesses CWE-252
CWE-755
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nimiq Nimiq-primitives Nimiq Proof-of-stake
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:17:01.654Z

Reserved: 2026-03-25T16:21:40.867Z

Link: CVE-2026-34065

cve-icon Vulnrichment

Updated: 2026-04-23T14:16:57.873Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T20:16:41.077

Modified: 2026-04-24T17:12:37.357

Link: CVE-2026-34065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:30:34Z

Weaknesses