CVE-2026-40094

Published: May 20, 2026

Modified: May 21, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.

Vendor	Product	Versions
nimiq	core-rs-albatross	affected `< 1.4.0`

Weaknesses (CWE)

CWE-754

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-c45m-6x25-3cjq

x_refsource_CONFIRM

https://github.com/nimiq/core-rs-albatross/pull/3715

x_refsource_MISC

https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40094

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References