CVE-2026-34067 Overview
CVE-2026-34067 is a Denial of Service vulnerability affecting the nimiq-transaction component, which provides the transaction primitive used in Nimiq's Rust implementation (core-rs-albatross). The vulnerability exists in the HistoryTreeProof::verify function, which panics when processing a malformed proof where the history and positions arrays have mismatched lengths due to an assert_eq! check.
The proof object is derived from untrusted peer-to-peer responses (ResponseTransactionsProof.proof) and is attacker-controlled at the network boundary until validated. A malicious peer could exploit this vulnerability to trigger a node crash by returning a crafted inclusion proof with a length mismatch.
Critical Impact
A malicious network peer can crash Nimiq nodes by sending specially crafted transaction inclusion proofs, potentially disrupting blockchain network operations and node availability.
Affected Products
- nimiq-transaction prior to version 1.3.0
- Nimiq core-rs-albatross prior to v1.3.0
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-34067 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-34067
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), where an assertion in the code can be triggered by an attacker through external input. The HistoryTreeProof::verify function contains a defensive assert_eq!(history.len(), positions.len()) check that validates internal consistency of proof data. However, because this assertion panics rather than returning an error, and the proof data originates from untrusted network peers, attackers can deliberately provide malformed proofs to crash victim nodes.
The attack requires network access to communicate with the target Nimiq node through the P2P protocol. While the attack complexity is relatively high—requiring the attacker to craft specific malformed proofs and deliver them through the P2P network—no authentication is required, making any network-accessible node a potential target. The impact is limited to availability (crash), with no confidentiality or integrity implications.
Root Cause
The root cause is the use of a panicking assertion (assert_eq!) to validate untrusted input data at the network boundary. In Rust, assertions cause the program to panic and terminate when the condition fails. While assertions are appropriate for detecting programming errors or invariant violations on trusted data, they should not be used to validate data from untrusted sources like network peers.
The HistoryTreeProof structure contains history and positions arrays that must have matching lengths for valid proofs. When a malicious peer sends a ResponseTransactionsProof with intentionally mismatched array lengths, the assertion fails and the node crashes.
Attack Vector
The attack exploits the peer-to-peer communication layer of Nimiq nodes. An attacker can:
- Connect to a target Nimiq node as a network peer
- Wait for or trigger a transaction proof request from the victim
- Respond with a malformed ResponseTransactionsProof containing a HistoryTreeProof where history.len() != positions.len()
- The victim node's HistoryTreeProof::verify function panics on the assertion, crashing the node
The vulnerability manifests in the proof verification logic where array length consistency is checked using a panicking assertion rather than graceful error handling. Technical details and the specific code changes can be found in the GitHub Security Advisory and the associated pull request #3659.
Detection Methods for CVE-2026-34067
Indicators of Compromise
- Unexpected Nimiq node crashes or restarts without clear cause
- Panic messages in logs containing assert_eq! failures related to HistoryTreeProof::verify
- Log entries showing length mismatches between history and positions arrays
- Repeated node failures following connections from specific peers
Detection Strategies
- Monitor application logs for Rust panic messages mentioning HistoryTreeProof or assertion failures
- Implement alerting on unexpected process terminations of Nimiq node services
- Track peer connection patterns to identify potentially malicious nodes sending malformed proofs
- Deploy process monitoring to detect rapid restart cycles indicative of DoS attacks
Monitoring Recommendations
- Configure centralized logging to capture Rust panic stack traces from Nimiq nodes
- Set up availability monitoring with automatic alerts for node downtime
- Monitor P2P network traffic for anomalous proof response patterns
- Implement peer reputation tracking to identify and block suspicious network participants
How to Mitigate CVE-2026-34067
Immediate Actions Required
- Upgrade nimiq-transaction and core-rs-albatross to version 1.3.0 or later immediately
- Review node logs for evidence of prior exploitation attempts
- Consider temporarily limiting P2P connections to trusted peers if upgrade cannot be performed immediately
- Implement automated node restart mechanisms to minimize downtime from potential crashes
Patch Information
The fix for this vulnerability is included in Nimiq core-rs-albatross version 1.3.0. The patch replaces the panicking assert_eq! with proper error handling that gracefully rejects malformed proofs without crashing the node.
Upgrade to the patched version by pulling the latest release:
Workarounds
- No official workarounds are available for this vulnerability
- Upgrading to v1.3.0 is the only supported remediation
- As a temporary measure, limiting network exposure or peer connections may reduce risk but does not eliminate the vulnerability
# Upgrade to patched version
cd /path/to/nimiq/core-rs-albatross
git fetch --tags
git checkout v1.3.0
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
