CVE-2026-40094 Overview
CVE-2026-40094 affects nimiq-blockchain, the persistent block storage component for Nimiq's Rust implementation (core-rs-albatross). The flaw exists in the network-libp2p discovery subsystem, which accepts signed PeerContact updates from untrusted peers without validating that the embedded address list is non-empty. A remote attacker can publish a signed PeerContact containing an empty addresses field, poisoning the peer contact book. When any client subsequently calls get_address_book through RPC or the web client, the node panics and the RPC task crashes. The issue is fixed in version 1.4.0.
Critical Impact
A remote, unauthenticated attacker can crash Nimiq nodes and RPC tasks by injecting a signed PeerContact with no addresses, producing a denial-of-service condition against blockchain infrastructure.
Affected Products
- nimiq-blockchain versions 1.3.0 and prior
- Nimiq core-rs-albatross Rust implementation
- network-libp2p peer discovery component
Discovery Timeline
- 2026-05-20 - CVE-2026-40094 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-40094
Vulnerability Analysis
The vulnerability is an improper check for unusual or exceptional conditions [CWE-754]. The PeerContact structure used by Nimiq's libp2p discovery protocol permits an empty addresses list because no intrinsic schema validation enforces a minimum of one address. Peers exchange signed PeerContact records during discovery, and signature validity is treated as sufficient trust to insert the record into the local peer contact book.
Downstream, PeerContactBook::known_peers constructs an address book by iterating contacts and calling addresses.first().expect("every peer should have at least one address"). The expect invocation assumes a structural invariant that the network layer never enforces. When a malicious contact with addresses=[] is present, the call panics. Depending on the runtime panic strategy, the result is either node termination or a crashed RPC task, denying service to clients invoking get_address_book.
Root Cause
The root cause is a missing validation step at the trust boundary between network-supplied data and internal data structures. Signature verification confirms authorship, not semantic correctness. Combining unvalidated input with expect-based assumptions converts a malformed message into a panic.
Attack Vector
The attack is network-reachable and does not require authentication beyond participating in peer discovery. An attacker generates a libp2p peer identity, signs a PeerContact with an empty address list, and gossips it through the discovery protocol. Any node that receives the contact and later exposes get_address_book over RPC or the web client crashes when the lookup executes.
The vulnerability is described in prose because no proof-of-concept code is published with the advisory. See the GitHub Security Advisory GHSA-c45m-6x25-3cjq for vendor detail.
Detection Methods for CVE-2026-40094
Indicators of Compromise
- Repeated panics in Nimiq node logs referencing every peer should have at least one address or PeerContactBook::known_peers.
- Unexpected termination of RPC tasks immediately following get_address_book calls.
- Presence of signed PeerContact records with empty addresses fields in the peer contact book.
Detection Strategies
- Monitor process exit codes and stderr from nimiq-client for Rust panic stack traces tied to peer discovery.
- Audit peer contact book contents for entries where the address list length equals zero.
- Correlate node restarts with inbound libp2p gossip activity to identify hostile peers.
Monitoring Recommendations
- Forward node logs to a centralized log platform and alert on Rust panic signatures.
- Track RPC availability metrics on get_address_book and alert on sudden failure rates.
- Maintain version inventory of all Nimiq nodes to confirm patch coverage to 1.4.0 or later.
How to Mitigate CVE-2026-40094
Immediate Actions Required
- Upgrade all Nimiq nodes running core-rs-albatross to version 1.4.0 or later.
- Restart any node currently experiencing repeated panics to clear the poisoned peer contact book from memory.
- Restrict RPC and web client exposure to trusted networks until the patch is applied.
Patch Information
The fix is included in core-rs-albatross v1.4.0 via pull request #3715. The patch adds validation rejecting PeerContact records with empty address lists and replaces the panicking expect call with safe handling. Review the GitHub Security Advisory GHSA-c45m-6x25-3cjq for full remediation guidance.
Workarounds
- Limit get_address_book RPC exposure with firewall rules or reverse proxy access control lists until upgrade is possible.
- Configure the node panic strategy to unwind rather than abort so a single RPC task failure does not terminate the process.
- Operate nodes in a supervised process manager such as systemd with automatic restart to reduce downtime if a panic occurs.
# Upgrade to the patched release
git fetch --tags
git checkout v1.4.0
cargo build --release --bin nimiq-client
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
