Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

nimiq-blockchain’s network‑libp2p discovery module accepts signed PeerContact updates without enforcing that peer contacts contain at least one address. An attacker can send a signed PeerContact with an empty address list to a node, which is then stored in the peer contact book. When the peer contact book later builds an address book, it expects every peer to have at least one address and calls addresses.first().expect(...). The empty list causes a panic, crashing the node or its RPC task. This leads to a denial of service but does not provide arbitrary code execution or data exfiltration.

Affected Systems

Vendors: Nimiq. Product: nimiq‑blockchain (core‑rs‑albatross). Versions affected are 1.3.0 and all earlier releases. The issue was fixed in release 1.4.0.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector relies on an untrusted peer on the network delivering a signed PeerContact with an empty address list. Successful exploitation results only in a node crash, so an attacker would need network access to the node’s peer discovery channel. Because no authentication is required beyond accepting signed contacts, the vulnerability is easily exploitable by any remote node.

Generated by OpenCVE AI on May 20, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 1.4.0 or later of nimiq‑blockchain, which validates that peer contacts contain at least one address and rejects empty ones.
  • After upgrading, restart the node to clear any stale peer contacts that may remain in the peer contact book.
  • Monitor node logs for panic messages or repeated crash events and verify that get_address_book no longer crashes when accessed via RPC or web client.

Generated by OpenCVE AI on May 20, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Nimiq
Nimiq core-rs-albatross
Vendors & Products Nimiq
Nimiq core-rs-albatross

Wed, 20 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.
Title nimiq-blockchain: network-libp2p untrusted peer can crash address book via empty peer contact addresses
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Nimiq Core-rs-albatross
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T21:27:40.862Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-20T22:16:36.993

Modified: 2026-05-20T22:16:36.993

Link: CVE-2026-40094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T22:30:40Z

Weaknesses