Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The maliciously crafted record would contain a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64 in order to cause a crash. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics. This issue has been fixed in version 1.4.0.
Published: 2026-05-20
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed Ed25519 signature length check in the Nimiq blockchain's DHT verifier leads to a panic that terminates the full node process. The security weakness enumerated as CWE‑252 causes the verifier to unwrap a failed signature conversion and crash, resulting in loss of availability for the affected node. The issue is triggered by a crafted network record and thus can be exploited remotely by any peer that can inject a malicious DHT entry.

Affected Systems

The vulnerability affects the Nimiq core‑rs‑albatross implementation of the Nimiq blockchain. Full nodes running version 1.3.0 or earlier are susceptible; the fix is incorporated in the 1.4.0 release. Users running earlier releases should upgrade to 1.4.0 or later to eliminate the crash vector.

Risk and Exploitability

The CVSS score of 7.5 classifies this flaw as high severity, reflecting the serious impact on node availability. EPSS data are not available, so the exploitation likelihood cannot be quantified, but the fault can be triggered by any malicious peer in the network without authentication. This vulnerability is not listed in the CISA KEV catalog, yet remote exploitation of a node in a production network remains a tangible threat.

Generated by OpenCVE AI on May 20, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nimiq core‑rs‑albatross to version 1.4.0 or newer to resolve the panic
  • If immediate upgrade is not feasible, restrict the node’s DHT connections to trusted peers or block incoming DHT traffic until a patch can be applied
  • Monitor node logs for panic events and ensure automated restarts or alerts to minimize downtime

Generated by OpenCVE AI on May 20, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-27w2-87xv-37c6 nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT
History

Wed, 20 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq core-rs-albatross
Vendors & Products Nimiq
Nimiq core-rs-albatross

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The maliciously crafted record would contain a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64 in order to cause a crash. When the victim node's DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics. This issue has been fixed in version 1.4.0.
Title nimiq-keys: Unchecked Ed25519 signature length in TaggedPublicKey::verify causes remote node panic via DHT
Weaknesses CWE-252
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Nimiq Core-rs-albatross
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T21:16:40.805Z

Reserved: 2026-04-09T00:39:12.206Z

Link: CVE-2026-40092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T22:16:36.850

Modified: 2026-05-20T22:16:36.850

Link: CVE-2026-40092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T22:30:40Z

Weaknesses