CVE-2026-46541: Nimiq Rust Implementation DoS Vulnerability

CVE-2026-46541 Overview

CVE-2026-46541 affects Nimiq, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The vulnerability resides in the handle_dht_get() function, where the DhtResults accumulator is only initialized after the first Distributed Hash Table (DHT) record passes verification. A malicious DHT node can supply an invalid first record, preventing the accumulator from being created. All subsequent valid records are then discarded with DHT inconsistent state errors. The flaw is tracked under [CWE-754: Improper Check for Unusual or Exceptional Conditions]. Maintainers patched the issue in version 1.4.0.

Critical Impact

A single malicious DHT peer can poison lookups for legitimate Nimiq nodes, denying availability of valid DHT records and disrupting peer discovery and protocol operations.

Affected Products

• Nimiq core-rs-albatross prior to version 1.4.0
• Nimiq Proof-of-Stake node software based on the Albatross consensus algorithm
• Network participants relying on DHT-based peer or record discovery

Discovery Timeline

• 2026-06-10 - CVE-2026-46541 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-46541

Vulnerability Analysis

The defect lives in the handle_dht_get() routine inside core-rs-albatross. DHT lookups return multiple records that must be cross-verified before acceptance. The implementation defers creation of the DhtResults accumulator until the first record has been verified. When the first record fails verification, the accumulator is never instantiated. Every subsequent record, including legitimate ones from honest peers, is then rejected as inconsistent state.

This turns a normal verification failure into a denial-of-service primitive. An attacker controlling even one responsive DHT node can return a malformed or invalid record first, causing the requesting node to discard the rest of the response set. Peer discovery and any feature dependent on DHT lookups degrade or fail.

Root Cause

The root cause is improper handling of an exceptional condition during result aggregation. Initialization of the result container is conditional on success of the first item rather than on entry into the handler. There is no fallback path that preserves later valid records when an earlier record fails. See the fix in GitHub Pull Request #3707 and the GitHub Security Advisory GHSA-ccqv-2c9q-mqw5.

Attack Vector

The attack is remote and unauthenticated over the network. An adversary operates a malicious DHT node that participates in lookup responses to targeted Nimiq peers. By ensuring its invalid record is the first processed, it prevents victims from accepting any valid records returned in the same lookup. No user interaction is required, and the attack complexity is low.

No public proof-of-concept code is published in the referenced advisory. Refer to the GitHub Release v1.4.0 notes for the corrective implementation.

Detection Methods for CVE-2026-46541

Indicators of Compromise

• Repeated DHT inconsistent state error messages in Nimiq node logs following DHT get operations
• Sustained failure to resolve DHT records despite a healthy peer set and network reachability
• Lookups consistently failing when responses originate from a specific peer identifier or IP range

Detection Strategies

• Monitor core-rs-albatross logs for elevated rates of DHT verification failures correlated with specific remote peers
• Compare DHT lookup success rates across nodes on the same network to identify peers experiencing disproportionate failures
• Track the Nimiq client version in production to flag any node running a release earlier than 1.4.0

Monitoring Recommendations

• Alert on log patterns matching DHT inconsistent state exceeding a baseline threshold per hour
• Capture and retain peer identifiers associated with discarded DHT records for forensic review
• Instrument metrics for DHT get success ratio and broadcast peer reputation scores

How to Mitigate CVE-2026-46541

Immediate Actions Required

• Upgrade all Nimiq core-rs-albatross deployments to version 1.4.0 or later without delay
• Inventory every node running the Albatross stack and confirm patched binaries are in use
• Review DHT peer logs for evidence of the failure pattern prior to upgrade

Patch Information

The issue is fixed in core-rs-albatross version 1.4.0. The corrective change ensures the DhtResults accumulator is initialized independently of individual record verification outcomes, so a failed first record no longer suppresses processing of valid records. Patch details are available in GitHub Pull Request #3707 and the v1.4.0 release notes.

Workarounds

• No supported configuration workaround exists; upgrading to 1.4.0 is the only complete remediation
• Operators may temporarily restrict DHT peer connectivity to known-trusted nodes to reduce exposure until patching
• Increase monitoring of DHT lookup failures to detect active exploitation while upgrade rollouts proceed