Description
nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Published: 2026-04-22
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A verification function in Nimiq’s Rust transaction library asserts that the length of a proof matches the number of positions it contains. When a proof with a length mismatch is supplied, the assertion triggers a panic, causing the node to crash. The proof data originates from untrusted peer‑to‑peer responses, so an attacker can easily craft a malicious inclusion proof to induce the crash. The resulting denial of service manifests as node termination or temporary unavailability, disrupting transaction processing and consensus.

Affected Systems

Nodes running Nimiq clients that include the nimiq‑transaction component before version 1.3.0 are vulnerable. The flaw is present in any Rust Nimiq client that processes peer‑to‑peer transaction proofs. Versions 1.3.0 and later contain the patch.

Risk and Exploitability

The CVSS score of 3.1 indicates low severity, consistent with a crash that compromises availability but not confidentiality or integrity. The EPSS score is less than 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Because the input comes from the network boundary, an adversary can trigger the panic by sending a crafted proof via the P2P protocol. While an exploit is straightforward once the node accepts untrusted proof data, the impact is confined to service disruption.

Generated by OpenCVE AI on April 28, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nimiq-transaction to version 1.3.0 or later.
  • Restart the node after applying the upgrade to ensure the patch takes effect.
  • Configure a process supervisor (e.g., systemd, runit) to automatically restart the node on crash, reducing downtime.

Generated by OpenCVE AI on April 28, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-264v-m8fm-76jm nimiq-transaction: Panic via `HistoryTreeProof` length mismatch
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq nimiq-transaction
Vendors & Products Nimiq nimiq-transaction

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq nimiq Proof-of-stake
CPEs cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*
Vendors & Products Nimiq
Nimiq nimiq Proof-of-stake

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Title nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Nimiq Nimiq-transaction Nimiq Proof-of-stake
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T14:17:59.735Z

Reserved: 2026-03-25T16:21:40.867Z

Link: CVE-2026-34067

cve-icon Vulnrichment

Updated: 2026-04-23T14:17:55.804Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T21:17:07.760

Modified: 2026-04-24T17:12:48.173

Link: CVE-2026-34067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:45:16Z

Weaknesses