CVE-2026-33184 Overview
CVE-2026-33184 is an integer underflow vulnerability in nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The vulnerability exists in the discovery handler which accepts a peer-controlled limit during handshake and stores it unchanged. When a malicious peer sets limit = 0, the subsequent computation of self.peer_list_limit.unwrap() as usize - 1 causes an integer underflow, wrapping to usize::MAX. This leads to a deterministic panic with capacity overflow when choose_multiple() attempts to allocate an impossibly large vector.
Critical Impact
Remote attackers can crash Nimiq validator nodes by sending a crafted handshake with limit = 0, causing complete denial of service to the blockchain network node.
Affected Products
- nimiq/core-rs-albatross versions prior to 1.3.0
- Nimiq Proof-of-Stake protocol implementations using vulnerable Albatross consensus code
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-33184 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-33184
Vulnerability Analysis
This vulnerability exploits a classic integer underflow condition in Rust code handling peer discovery. The discovery handler accepts a limit parameter from connecting peers during the handshake phase without proper validation. The immediate HandshakeAck path honors limit = 0 and returns zero contacts, making the session appear benign to any connection monitoring.
However, when the same session transitions to the Established state, the periodic update path performs an unchecked arithmetic operation: self.peer_list_limit.unwrap() as usize - 1. With limit = 0, this subtraction underflows to usize::MAX (typically 18,446,744,073,709,551,615 on 64-bit systems). Subsequently, the rand crate's choose_multiple() function attempts to allocate a vector with this astronomical capacity via Vec::with_capacity(amount), which deterministically panics with a capacity overflow error.
Root Cause
The root cause is classified as CWE-191 (Integer Underflow). The code fails to validate that the peer-provided limit parameter is greater than zero before performing subtraction. In Rust, while arithmetic operations in release builds wrap by default, the subsequent memory allocation attempt with the wrapped value causes a panic rather than silent corruption. The lack of input validation on peer-controlled data allows attackers to trigger this condition remotely.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker establishes a peer connection to a vulnerable Nimiq node and provides limit = 0 during the discovery handshake. The attack is particularly insidious because the initial handshake completes successfully and the session appears legitimate. The crash only occurs later during periodic peer list updates, potentially making it harder to correlate the crash with the malicious connection.
The vulnerability can be exploited by any network-reachable attacker to crash validator nodes, potentially disrupting consensus and network availability. In blockchain networks, this type of DoS vulnerability is especially critical as it can affect network consensus and transaction processing.
Detection Methods for CVE-2026-33184
Indicators of Compromise
- Nimiq node processes terminating unexpectedly with capacity overflow panics
- Log entries showing panic at Vec::with_capacity() in discovery-related code paths
- Unusual peer connections that complete handshake but trigger crashes shortly after reaching Established state
- Pattern of node restarts correlated with specific peer connections
Detection Strategies
- Monitor node process stability and implement alerting on unexpected terminations
- Analyze crash dumps for stack traces containing choose_multiple and capacity overflow indicators
- Implement connection logging to correlate crash events with recent peer connections
- Deploy network-level monitoring for anomalous connection patterns to Nimiq nodes
Monitoring Recommendations
- Enable verbose logging for peer discovery and connection state transitions
- Set up process monitoring with automatic restart capabilities to maintain availability
- Implement peer reputation scoring to identify and block suspicious connection sources
- Monitor memory allocation patterns for anomalous requests
How to Mitigate CVE-2026-33184
Immediate Actions Required
- Upgrade nimiq/core-rs-albatross to version 1.3.0 or later immediately
- Review node logs for evidence of exploitation attempts or unexpected crashes
- Consider implementing network-level access controls to limit peer connections during the upgrade window
- Monitor node availability closely during the remediation period
Patch Information
The vulnerability has been patched in nimiq/core-rs-albatross version 1.3.0. The fix is available in commit 8f60a2d75b74b55764ecf34bd4435f4961630595. For detailed information about the vulnerability and patch, refer to the GitHub Security Advisory GHSA-5rm9-893q-vmhm, Pull Request #3664, and the v1.3.0 Release.
Workarounds
- No official workarounds are available; upgrading to version 1.3.0 is the recommended remediation
- Implement network-level rate limiting on incoming peer connections as a temporary defensive measure
- Consider running nodes behind firewalls with restricted peer access until patching is complete
- Deploy redundant nodes to maintain network availability in case of DoS attacks
# Upgrade nimiq/core-rs-albatross to patched version
cd /path/to/core-rs-albatross
git fetch --tags
git checkout v1.3.0
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
