CVE-2026-44505 Overview
CVE-2026-44505 affects Nimiq core-rs-albatross, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The flaw exists in the network-libp2p crate, specifically in handle_dht_get within network-libp2p/src/swarm.rs. When a peer returns a FoundRecord that fails verification, the handler logs the error and returns early without completing the oneshot channel awaited by Network::dht_get. Because the caller awaits this oneshot without a timeout, the future hangs indefinitely. The issue is fixed in version 1.4.0.
Critical Impact
Callers of Network::dht_get can hang indefinitely when a DHT peer returns an unverifiable record, degrading availability of dependent node operations.
Affected Products
- Nimiq core-rs-albatrossnetwork-libp2p prior to version 1.4.0
- Nimiq Proof-of-Stake nodes built on the Albatross consensus implementation
- Downstream applications depending on Network::dht_get for DHT lookups
Discovery Timeline
- 2026-06-10 - CVE-2026-44505 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-44505
Vulnerability Analysis
The vulnerability is an improper check for unusual or exceptional conditions [CWE-755] in the DHT query handling logic. handle_dht_get processes Kademlia get-record query progress events from libp2p. When a peer returns a FoundRecord, the code invokes dht_verifier.verify(&record.record) to validate the record contents. If verification fails, the handler logs the error and returns early. This early return skips completion of the oneshot sender that Network::dht_get awaits and leaves per-query bookkeeping intact. Subsequent query progress events for the same query then enter the DHT inconsistent state path and likewise return without cleanup. The caller awaits the oneshot without a timeout, so the future never resolves.
Root Cause
The root cause is missing error-path cleanup in handle_dht_get. Verifier errors and the inconsistent-state branch both exit without signaling the awaiting oneshot or removing per-query state. Combined with an unbounded await in Network::dht_get, any verification failure converts into an indefinite hang.
Attack Vector
A network-adjacent peer can trigger the hang by responding to a DHT get-record query with a record that fails the application's verifier. No authentication or user interaction is required. Repeated triggering can stall multiple in-flight queries, reducing node availability for DHT-dependent operations.
No verified exploit code is published. See the GitHub Security Advisory GHSA-g39c-jcgg-qwvr and the fix in pull request #3716 for technical details.
Detection Methods for CVE-2026-44505
Indicators of Compromise
- Log entries from handle_dht_get indicating dht_verifier.verify failures followed by no corresponding query completion
- Log entries referencing the DHT inconsistent state code path in network-libp2p/src/swarm.rs
- Stalled or never-resolving futures originating from Network::dht_get call sites
Detection Strategies
- Inventory all deployed Nimiq nodes and confirm the core-rs-albatross version is 1.4.0 or later
- Instrument Network::dht_get call sites with metrics for query duration to surface queries exceeding expected latency
- Correlate verifier-error log events with the count of outstanding DHT queries to identify abandoned bookkeeping
Monitoring Recommendations
- Alert on increases in pending DHT queries that never complete within a defined service-level threshold
- Monitor peer behavior for repeated delivery of records that fail verification from the same source
- Track node process memory and task counts for slow growth consistent with leaked per-query state
How to Mitigate CVE-2026-44505
Immediate Actions Required
- Upgrade core-rs-albatross and the network-libp2p crate to version 1.4.0 or later
- Audit dependent applications for direct use of Network::dht_get and wrap calls with explicit timeouts
- Review DHT verifier implementations to confirm they fail deterministically and emit actionable telemetry
Patch Information
The issue is patched in version 1.4.0. Details are available in the GitHub Release v1.4.0 notes and the upstream pull request #3716, which corrects the error paths in handle_dht_get to complete the oneshot and clean up per-query bookkeeping.
Workarounds
- Wrap Network::dht_get calls in a tokio::time::timeout to bound caller wait time when immediate upgrade is not possible
- Restrict peering to trusted DHT participants to reduce exposure to unverifiable record responses
- Restart affected nodes to clear hung futures and stale per-query state until the patch is applied
# Update Cargo dependency to the patched release
cargo update -p nimiq-network-libp2p --precise 1.4.0
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
