CVE-2026-34065 Overview
A denial of service vulnerability exists in nimiq-primitives, a library containing primitives (e.g., block, account, transaction) used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted peer-to-peer (P2P) peer can cause a node to panic by announcing an election macro block containing an invalid compressed BLS voting key within the validators set. When the application attempts to hash an election macro header, it processes the validators field and reaches Validators::voting_keys(), which calls validator.voting_key.uncompress().unwrap(). If the BLS key bytes are invalid, the .unwrap() call panics, crashing the node.
Critical Impact
Remote attackers can crash Nimiq blockchain nodes by sending crafted P2P messages with malformed BLS keys, potentially disrupting network consensus and availability.
Affected Products
- nimiq-primitives (Rust library) versions prior to 1.3.0
- Nimiq core-rs-albatross implementations using affected nimiq-primitives versions
Discovery Timeline
- April 22, 2026 - CVE CVE-2026-34065 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34065
Vulnerability Analysis
This vulnerability represents a classic unchecked return value issue (CWE-252) in the handling of cryptographic key decompression. In Nimiq's Rust implementation, when processing election macro blocks received from P2P peers, the system hashes the block header which includes validator information. Each validator entry contains a compressed BLS voting key that must be decompressed before use.
The vulnerable code path is triggered when Validators::voting_keys() is called during the hashing operation. This function iterates through validators and calls validator.voting_key.uncompress().unwrap() on each voting key. The uncompress() method returns a Result type that may contain an error if the compressed key bytes are malformed or invalid. By using .unwrap() directly, the code assumes decompression will always succeed. When an attacker provides an invalid BLS key, the unwrap() call on an Err variant causes a panic, immediately terminating the node process.
Root Cause
The root cause is the use of .unwrap() on a fallible operation (uncompress()) without proper error handling. This violates the principle of defensive programming, especially when processing untrusted input from P2P network peers. The BLS key decompression operation can fail for various reasons including malformed byte sequences, invalid curve points, or corrupted data. The code should validate and gracefully handle decompression failures rather than panicking.
Attack Vector
The attack exploits the P2P network communication layer in Nimiq nodes. An attacker can connect to a target node as a P2P peer and announce a specially crafted election macro block. This block contains a validators set with at least one entry containing invalid compressed BLS voting key bytes.
When the victim node receives this block announcement and attempts to process or validate it, the hashing operation on the macro header triggers the vulnerable code path. The node iterates through the validators, attempts to decompress the malicious BLS key, encounters an error, and panics due to the unchecked .unwrap() call. This results in immediate node termination, causing a denial of service condition.
The attack requires network access to the target node's P2P interface but does not require authentication or any special privileges. The attacker does not need to be a legitimate validator or hold any stake in the network.
Detection Methods for CVE-2026-34065
Indicators of Compromise
- Unexpected node crashes or restarts with panic messages referencing uncompress() or BLS key operations
- P2P connection logs showing repeated block announcements from unknown or suspicious peers
- Stack traces in error logs containing Validators::voting_keys() or voting_key.uncompress().unwrap()
- Anomalous election macro block announcements with invalid validator data
Detection Strategies
- Monitor node process stability and implement crash detection alerting for Nimiq nodes
- Implement P2P traffic analysis to identify malformed block announcements with invalid BLS key data
- Configure log aggregation to detect panic messages containing BLS decompression failures
- Deploy network intrusion detection rules for abnormal validator set data in macro block messages
Monitoring Recommendations
- Enable verbose logging on Nimiq nodes to capture P2P message details and potential attack attempts
- Implement automated node health checks with restart mechanisms to maintain availability
- Monitor P2P peer reputation and connection patterns for suspicious behavior
- Track node uptime metrics to identify potential DoS attack patterns
How to Mitigate CVE-2026-34065
Immediate Actions Required
- Upgrade nimiq-primitives and core-rs-albatross to version 1.3.0 or later immediately
- Review and restart any affected nodes to ensure they are running the patched version
- Monitor node stability closely during the upgrade transition period
- Consider temporarily restricting P2P connections to trusted peers if immediate patching is not possible
Patch Information
The patch for this vulnerability is included in Nimiq core-rs-albatross version 1.3.0. The fix replaces the unsafe .unwrap() call with proper error handling that gracefully handles invalid BLS key decompression failures instead of panicking. The specific commit implementing the fix can be found in the GitHub commit e10eaeb.
For additional context on the vulnerability and fix, refer to the GitHub Security Advisory GHSA-7c4j-2m43-2mgh and the related Pull Request #3662.
Workarounds
- No known workarounds are available for this vulnerability according to the security advisory
- Network-level firewall rules may provide limited protection by restricting P2P access to trusted peers only
- Implementing process supervision with automatic restart capabilities can minimize downtime but does not prevent the underlying vulnerability
# Upgrade to patched version
cargo update -p nimiq-primitives --precise 1.3.0
# Verify installed version
cargo tree -p nimiq-primitives | grep nimiq-primitives
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
