CVE-2026-34061 Overview
CVE-2026-34061 is a vulnerability in nimiq/core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks.
The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This creates a consensus failure scenario where the blockchain can be halted.
Critical Impact
A malicious elected validator can cause network-wide consensus failures by proposing invalid election macro blocks that pass initial validation but fail during block finalization, potentially halting the blockchain.
Affected Products
- nimiq/core-rs-albatross versions prior to 1.3.0
- Nimiq Proof-of-Stake nodes running the Albatross consensus algorithm
- Validator nodes participating in block proposal and voting
Discovery Timeline
- 2026-04-03 - CVE-2026-34061 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34061
Vulnerability Analysis
This vulnerability represents an Insufficient Verification of Data Authenticity issue (CWE-345) within the Nimiq blockchain consensus mechanism. The flaw exists in the verify_macro_block_proposal() function, which is responsible for validating incoming macro block proposals from elected validator proposers during the Tendermint consensus rounds.
When an election macro block proposal is received, the validation function performs multiple checks including header shape verification, successor relation validation, proposer authentication, body root verification, and state validation. However, the function omits a critical check: verifying that the header.interlink field matches the canonical next interlink for election blocks.
The interlink is a crucial data structure in blockchain implementations that enables efficient verification of the chain's history. By allowing an incorrect interlink to pass through initial validation, the vulnerability creates a timing gap in the consensus process.
Root Cause
The root cause lies in the incomplete validation logic within the verify_macro_block_proposal() function. While the function performs comprehensive checks on most aspects of the block proposal, it specifically lacks interlink binding verification for election macro blocks. This validation gap allows malformed blocks to proceed through the Tendermint voting process (prevote and precommit phases) before being rejected later in the verify_block() function with an InvalidInterlink error.
The architectural issue is that the validation split between proposal verification and block verification creates an inconsistency where blocks can be voted on and decided in Tendermint consensus before all necessary validations are complete.
Attack Vector
The attack can be executed by a malicious actor who has been elected as a validator proposer. The attack follows this sequence:
- The attacker waits to be elected as a block proposer during an election macro block slot
- The attacker crafts an election macro block with a valid structure but with an intentionally incorrect header.interlink value
- The malformed block is broadcast to the network and passes verify_macro_block_proposal() validation
- Honest validators prevote and precommit the malformed header hash, completing the Tendermint decision process
- When validators attempt to push the finalized block, verify_block() rejects it with InvalidInterlink
- The network enters a consensus failure state as a decided block cannot be applied
This attack requires elevated privileges (being an elected validator) but can be executed remotely over the network without user interaction.
Detection Methods for CVE-2026-34061
Indicators of Compromise
- Repeated InvalidInterlink errors appearing in validator node logs after Tendermint consensus completion
- Blockchain stalls or forks occurring specifically during election macro block processing
- Consensus failures logged immediately following successful block voting phases
Detection Strategies
- Monitor validator logs for InvalidInterlink rejection messages that occur after Tendermint block decisions
- Implement alerting on consensus state discrepancies between voted blocks and applied blocks
- Track election macro block validation failures and correlate with specific proposer identities
Monitoring Recommendations
- Deploy log aggregation for all validator nodes to detect network-wide consensus anomalies
- Create dashboards tracking block proposal acceptance rates versus block push success rates
- Implement automated health checks that verify blockchain progression during election epochs
How to Mitigate CVE-2026-34061
Immediate Actions Required
- Upgrade all nimiq/core-rs-albatross nodes to version 1.3.0 or later immediately
- Review validator node logs for any historical evidence of InvalidInterlink errors following consensus
- Consider temporarily increasing monitoring on validator proposer behavior during election epochs
Patch Information
The vulnerability has been patched in nimiq/core-rs-albatross version 1.3.0. The fix adds interlink binding verification to the verify_macro_block_proposal() function, ensuring that election macro blocks are validated for correct interlink values before the Tendermint voting process begins.
For detailed technical information about the patch, see the GitHub Security Advisory GHSA-gr83-j5f8-p2r5 and the GitHub Commit implementing the fix.
Workarounds
- No official workarounds are available; upgrading to version 1.3.0 is the recommended remediation
- Network operators may consider implementing additional monitoring to detect exploitation attempts before patching
- In extreme cases, temporarily suspending participation in election macro block consensus may reduce exposure, though this impacts network participation
# Upgrade nimiq/core-rs-albatross to patched version
# Using cargo to update to the fixed release
cargo update -p nimiq-core
# Verify the installed version is 1.3.0 or later
cargo tree -p nimiq-core | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
