CVE-2026-40093
Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nimiq-blockchaincrates.io | <= 1.3.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-49xc-52mp-cc9jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-40093ghsaADVISORY
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-49xc-52mp-cc9jnvdBroken LinkWEB
News mentions
0No linked articles in our index yet.