Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.
Published: 2026-04-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Service disruption (node crash)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an unchecked Option unwrap that triggers a panic in Nimiq core-rs-albatross when a full node handles certain consensus requests while running without the history index. This panic causes the node to terminate, effectively denying service to the network. Attacking the node can be accomplished by sending specific requests such as RequestTransactionsProof or RequestTransactionReceiptsByAddress that exercise the vulnerable path.

Affected Systems

The issue affects the Rust implementation of the Nimiq Proof‑of‑Stake protocol, core-rs-albatross, in all versions prior to 1.3.0. Any deployment that operates a full node without a history index is potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score is below 1 %, suggesting a low but non‑zero likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote: a peer can trigger the panic by sending the relevant consensus requests to a node that lacks the history index. Exploitation requires the node to be configured without the history index, meaning the risk is limited to misconfigured deployments.

Generated by OpenCVE AI on April 9, 2026 at 17:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nimiq core‑rs‑albatross to version 1.3.0 or later to receive the fix for the panic condition.
  • If an upgrade is not immediately possible, configure the node to enable the history index or restrict message handling so that unsupported requests are dropped instead of causing a panic.
  • Verify that the node is operating with the history index enabled before exposing it to unknown peers to prevent accidental crashes.

Generated by OpenCVE AI on April 9, 2026 at 17:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:rust:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq core-rs-albatross
Vendors & Products Nimiq
Nimiq core-rs-albatross

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.
Title nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs without the history index
Weaknesses CWE-252
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Nimiq Core-rs-albatross
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T17:22:04.161Z

Reserved: 2026-04-02T20:49:44.452Z

Link: CVE-2026-35468

cve-icon Vulnrichment

Updated: 2026-04-06T17:21:59.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:06.963

Modified: 2026-04-09T16:44:05.540

Link: CVE-2026-35468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:35Z

Weaknesses