VYPR
advisoryPublished Jun 10, 2026· 1 source

Nimiq Core Rs Albatross: Seven Denial-of-Service Vulnerabilities Disclosed

Key findings • Seven denial-of-service vulnerabilities disclosed in Nimiq Core Rs Albatross. • Vulnerabilities impact versions prior to 1.5.0 and 1.4.0. • High-severity flaws (CVE-2026-46…

Key findings

  • Seven denial-of-service vulnerabilities disclosed in Nimiq Core Rs Albatross.
  • Vulnerabilities impact versions prior to 1.5.0 and 1.4.0.
  • High-severity flaws (CVE-2026-46545, CVE-2026-46541) allow remote node crashes.
  • Issues include improper state synchronization handling and DHT record verification flaws.
  • Patches are available in Nimiq Core Rs Albatross versions 1.5.0 and 1.4.0.

On June 10, 2026, a batch of seven denial-of-service (DoS) vulnerabilities was disclosed in Nimiq's Core Rs Albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol. These vulnerabilities, impacting various versions prior to 1.5.0 and 1.4.0, could allow remote, unauthenticated attackers to crash nodes, disrupt state synchronization, and potentially impact network stability.

The disclosed vulnerabilities primarily revolve around flaws in how the Albatross consensus algorithm handles network messages and state synchronization. Several issues stem from improper handling of incoming data, leading to unrecoverable errors or crashes.

One significant vulnerability, CVE-2026-46545 (High, CVSS 7.5), allows any state-sync peer to crash any node performing state synchronization by exploiting a flaw in MerkleRadixTrie::put_chunk. This could effectively prevent new nodes from joining the network or disrupt existing synchronization processes.

Another high-severity flaw, CVE-2026-46541 (High, CVSS 7.5), exists in the handle_dht_get() function. If the first Distributed Hash Table (DHT) record fails verification due to a malicious DHT node, the DhtResults accumulator is not initialized, leading to a crash when subsequent records are processed.

Medium-severity vulnerabilities also pose a threat. CVE-2026-46543 (Medium, CVSS 5.3) allows a remote peer to crash a full node by sending a RequestBatchSet message with the genesis block's hash, causing an out-of-bounds read. Similarly, CVE-2026-46540 (Medium, CVSS 6.5) describes a scenario where LightBlockchain::rebranch() fails to update critical head pointers when adopting a fork chain, potentially leading to inconsistencies and crashes.

Further DoS issues include CVE-2026-46542 (Medium, CVSS 4.3), which involves a panic in the Ed25519 multisig delinearization code path due to an unwrap on a curve point. CVE-2026-46539 (Medium, CVSS 5.9) contains a logic flaw in BlockInclusionProof::is_block_proven that bypasses cryptographic verification under certain conditions. Lastly, CVE-2026-44505 (Medium, CVSS 5.3) details an issue in handle_dht_get where a record verification failure can lead to unexpected behavior.

Nimiq has addressed these vulnerabilities in version 1.5.0 and 1.4.0. Users of Core Rs Albatross are strongly advised to update to the patched versions to mitigate the risk of these denial-of-service attacks. The coordinated disclosure of these seven vulnerabilities highlights the importance of robust error handling and thorough verification in blockchain protocol implementations.

Synthesized by Vypr AI