VYPR
Get started
← All advisories
Low severity3.1NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-34067

CVE-2026-34067

Description

nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, HistoryTreeProof::verify panics on a malformed proof where history.len() != positions.len() due to assert_eq!(history.len(), positions.len()). The proof object is derived from untrusted p2p responses (ResponseTransactionsProof.proof) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
nimiq-transactioncrates.io
<= 0.2.0

Affected products

1

Patches

1
6ff0800e8e03

Fix panic on HistoryTreeProof length mismatch

https://github.com/nimiq/core-rs-albatrossJose Daniel HernandezMar 27, 2026via ghsa
commit
1 file changed · +3 1
  • primitives/transaction/src/history_proof.rs+3 1 modified
    @@ -16,7 +16,9 @@ pub struct HistoryTreeProof {
 impl HistoryTreeProof {
     /// Verifies the Merkle proof. It will return None if the verification encounters an error.
     pub fn verify(&self, expected_root: Blake2bHash) -> Option<bool> {
-        assert_eq!(self.history.len(), self.positions.len());
+        if self.history.len() != self.positions.len() {
+            return None;
+        }
         let zipped: Vec<_> = self
             .positions
             .iter()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.