CVE-2026-28402 Overview
CVE-2026-28402 is an improper integrity verification vulnerability in nimiq/core-rs-albatross, the Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator elected as proposer could publish a macro block proposal where header.body_root does not match the actual macro body hash. The proposal could pass verification because the macro proposal verification path validates the header but fails to validate the binding body_root == hash(body). Later code expects this binding and may panic on mismatch, crashing validator nodes.
Critical Impact
A compromised validator can craft malicious macro block proposals that crash other validator nodes through a hash mismatch panic, potentially disrupting network consensus and availability.
Affected Products
- nimiq/core-rs-albatross versions prior to 1.2.2
- Nimiq Proof-of-Stake validator nodes running affected versions
- Albatross consensus algorithm implementations in nimiq/core-rs-albatross
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-28402 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-28402
Vulnerability Analysis
This vulnerability falls under CWE-354: Improper Validation of Integrity Check Value. The core issue lies in the macro block proposal verification logic within the Nimiq blockchain implementation. When a validator is elected as a block proposer, they can submit macro block proposals that include both a header and a body. The header contains a body_root field which should be the cryptographic hash of the macro body, ensuring integrity between the two components.
The vulnerable code path validated the header independently but failed to verify that body_root actually matches the hash of the provided body. This missing integrity check creates an attack surface where a malicious proposer can deliberately create a mismatch between the declared body_root in the header and the actual body content.
When other validators receive and process such a malformed proposal, later processing stages assume the integrity binding holds true. Upon encountering the mismatch, the validator software panics, causing a node crash. This is particularly impactful as it only affects validator nodes, which are critical to maintaining network consensus.
Root Cause
The root cause is the absence of a cryptographic integrity verification check during proposal validation. The verification path for macro proposals was incomplete—it validated the header structure and other proposal attributes but neglected to verify that header.body_root equals the hash of the proposal body. This missing check allowed malformed proposals to pass initial verification and propagate to other validators.
Attack Vector
An attacker must first gain control of or compromise a validator node that gets elected as a block proposer. Once elected, the malicious validator crafts a macro block proposal with a deliberately incorrect body_root value in the header. When this proposal is broadcast to other validators in the network, each receiving validator processes the proposal. The proposal passes initial verification due to the missing integrity check, but when later code attempts to use the body and relies on the integrity binding, a panic occurs due to the hash mismatch, crashing the validator node.
The security patch adds the necessary body root verification directly in the proposal verification path:
.clone()
};
+ // Verify that the header's body_root matches the hash of the actual body.
+ if *block.body_root() != body.hash() {
+ debug!(%block, "Tendermint - await_proposal: body_root does not match body hash");
+ return Err(PushError::InvalidBlock(BlockError::BodyHashMismatch));
+ }
+
// Verify macro block state before committing accounts.
if let Err(error) = self.verify_block_state_pre_commit(block, txn) {
debug!(%error, %block, "Tendermint - await_proposal: Invalid macro block state");
Source: GitHub Commit
Detection Methods for CVE-2026-28402
Indicators of Compromise
- Unexpected validator node crashes with panic messages related to body hash mismatches
- Log entries containing "body_root does not match body hash" or similar integrity verification errors
- Repeated node restarts on validator infrastructure during proposal processing
- Network consensus disruptions coinciding with specific proposer elections
Detection Strategies
- Monitor validator node logs for panic events, particularly those occurring during block proposal processing phases
- Implement alerting on validator node crashes that include stack traces pointing to body verification or hash comparison functions
- Track proposer behavior patterns and flag validators whose proposals repeatedly cause downstream processing failures
- Deploy network-wide monitoring to correlate validator crashes with specific block heights and proposer identities
Monitoring Recommendations
- Enable verbose logging on validator nodes to capture detailed proposal verification events
- Set up automated crash analysis that captures and categorizes panic messages from validator processes
- Implement real-time dashboards showing validator uptime and crash frequency across the network
- Configure alerts for any validator node that experiences more than expected restart frequency
How to Mitigate CVE-2026-28402
Immediate Actions Required
- Upgrade all nimiq/core-rs-albatross validator nodes to version 1.2.2 or later immediately
- Review validator node logs for any evidence of previous exploitation attempts
- Temporarily increase monitoring on validator infrastructure during the upgrade process
- Ensure backup validator nodes are available to maintain network participation during upgrades
Patch Information
The patch for this vulnerability is formally released as part of version 1.2.2. The fix adds the corresponding body root verification in the proposal checks, ensuring that body_root in the header matches hash(body) before the proposal passes verification. The patch is available through the following resources:
Workarounds
- No known workarounds are available for this vulnerability
- The only effective mitigation is upgrading to the patched version 1.2.2
- Non-validator nodes are not affected by this vulnerability
- Organizations unable to immediately upgrade should consider temporarily taking validators offline until patching is complete
# Upgrade nimiq/core-rs-albatross to patched version
cd core-rs-albatross
git fetch --tags
git checkout v1.2.2
cargo build --release
# Restart validator node with updated binary
systemctl restart nimiq-validator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
