CVE-2026-34066

MEDIUM EPSS 15.2%
Published Apr 22, 20262mo ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Medium
Find Similar
Published Apr 22, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: &[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic. `extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

CVSS Details

Base Score
5.3
Exploitability
1.6
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
15.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 3

CWE-20 Improper Input Validation Validation
CWE-617
CWE-754

Affected Products 1

VendorProductVersionRange
nimiqnimiq_proof-of-stake* <1.3.0

References 4

  • github.com https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50
    Patch
  • github.com https://github.com/nimiq/core-rs-albatross/pull/3656
    Issue TrackingPatch
  • github.com https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
    Release Notes
  • github.com https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg
    PatchVendor Advisory

Remediation

  • github.com https://github.com/nimiq/core-rs-albatross/commit/6f5511309c199d84b012fe6b9aba7e5582892c50
    Patch
  • github.com https://github.com/nimiq/core-rs-albatross/pull/3656
    Issue TrackingPatch
  • github.com https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-j99g-7rqw-q9jg
    PatchVendor Advisory