Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33184

CVE-2026-33184: Nimiq Albatross DOS Vulnerability

CVE-2026-33184 is a denial-of-service flaw in Nimiq's Rust Albatross implementation that allows attackers to trigger capacity overflow panics. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-33184 Overview

CVE-2026-33184 is an integer underflow vulnerability in nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The vulnerability exists in the discovery handler which accepts a peer-controlled limit during handshake and stores it unchanged. When a malicious peer sets limit = 0, the subsequent computation of self.peer_list_limit.unwrap() as usize - 1 causes an integer underflow, wrapping to usize::MAX. This leads to a deterministic panic with capacity overflow when choose_multiple() attempts to allocate an impossibly large vector.

Critical Impact

Remote attackers can crash Nimiq validator nodes by sending a crafted handshake with limit = 0, causing complete denial of service to the blockchain network node.

Affected Products

  • nimiq/core-rs-albatross versions prior to 1.3.0
  • Nimiq Proof-of-Stake protocol implementations using vulnerable Albatross consensus code

Discovery Timeline

  • 2026-04-03 - CVE CVE-2026-33184 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-33184

Vulnerability Analysis

This vulnerability exploits a classic integer underflow condition in Rust code handling peer discovery. The discovery handler accepts a limit parameter from connecting peers during the handshake phase without proper validation. The immediate HandshakeAck path honors limit = 0 and returns zero contacts, making the session appear benign to any connection monitoring.

However, when the same session transitions to the Established state, the periodic update path performs an unchecked arithmetic operation: self.peer_list_limit.unwrap() as usize - 1. With limit = 0, this subtraction underflows to usize::MAX (typically 18,446,744,073,709,551,615 on 64-bit systems). Subsequently, the rand crate's choose_multiple() function attempts to allocate a vector with this astronomical capacity via Vec::with_capacity(amount), which deterministically panics with a capacity overflow error.

Root Cause

The root cause is classified as CWE-191 (Integer Underflow). The code fails to validate that the peer-provided limit parameter is greater than zero before performing subtraction. In Rust, while arithmetic operations in release builds wrap by default, the subsequent memory allocation attempt with the wrapped value causes a panic rather than silent corruption. The lack of input validation on peer-controlled data allows attackers to trigger this condition remotely.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker establishes a peer connection to a vulnerable Nimiq node and provides limit = 0 during the discovery handshake. The attack is particularly insidious because the initial handshake completes successfully and the session appears legitimate. The crash only occurs later during periodic peer list updates, potentially making it harder to correlate the crash with the malicious connection.

The vulnerability can be exploited by any network-reachable attacker to crash validator nodes, potentially disrupting consensus and network availability. In blockchain networks, this type of DoS vulnerability is especially critical as it can affect network consensus and transaction processing.

Detection Methods for CVE-2026-33184

Indicators of Compromise

  • Nimiq node processes terminating unexpectedly with capacity overflow panics
  • Log entries showing panic at Vec::with_capacity() in discovery-related code paths
  • Unusual peer connections that complete handshake but trigger crashes shortly after reaching Established state
  • Pattern of node restarts correlated with specific peer connections

Detection Strategies

  • Monitor node process stability and implement alerting on unexpected terminations
  • Analyze crash dumps for stack traces containing choose_multiple and capacity overflow indicators
  • Implement connection logging to correlate crash events with recent peer connections
  • Deploy network-level monitoring for anomalous connection patterns to Nimiq nodes

Monitoring Recommendations

  • Enable verbose logging for peer discovery and connection state transitions
  • Set up process monitoring with automatic restart capabilities to maintain availability
  • Implement peer reputation scoring to identify and block suspicious connection sources
  • Monitor memory allocation patterns for anomalous requests

How to Mitigate CVE-2026-33184

Immediate Actions Required

  • Upgrade nimiq/core-rs-albatross to version 1.3.0 or later immediately
  • Review node logs for evidence of exploitation attempts or unexpected crashes
  • Consider implementing network-level access controls to limit peer connections during the upgrade window
  • Monitor node availability closely during the remediation period

Patch Information

The vulnerability has been patched in nimiq/core-rs-albatross version 1.3.0. The fix is available in commit 8f60a2d75b74b55764ecf34bd4435f4961630595. For detailed information about the vulnerability and patch, refer to the GitHub Security Advisory GHSA-5rm9-893q-vmhm, Pull Request #3664, and the v1.3.0 Release.

Workarounds

  • No official workarounds are available; upgrading to version 1.3.0 is the recommended remediation
  • Implement network-level rate limiting on incoming peer connections as a temporary defensive measure
  • Consider running nodes behind firewalls with restricted peer access until patching is complete
  • Deploy redundant nodes to maintain network availability in case of DoS attacks
bash
# Upgrade nimiq/core-rs-albatross to patched version
cd /path/to/core-rs-albatross
git fetch --tags
git checkout v1.3.0
cargo build --release

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.