CVE-2026-46543 Overview
CVE-2026-46543 is a denial-of-service vulnerability in Nimiq, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler invokes get_epoch_chunks, which iterates backwards through macro blocks using Policy::macro_block_before and panics when it reaches the genesis block. The issue is classified as a reachable assertion [CWE-617] and was patched in version 1.5.0.
Critical Impact
Any unauthenticated network peer can crash Nimiq full nodes prior to version 1.5.0, disrupting node availability and degrading network consensus participation.
Affected Products
- Nimiq core-rs-albatross prior to version 1.5.0
- Nimiq Proof-of-Stake full nodes running the Albatross consensus implementation
- Any deployment exposing the peer-to-peer request handler to untrusted peers
Discovery Timeline
- 2026-06-10 - CVE-2026-46543 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46543
Vulnerability Analysis
The vulnerability resides in the Nimiq full node handler for the RequestBatchSet peer-to-peer message. When a node receives this message, the handler calls get_epoch_chunks to retrieve macro block data associated with the requested block hash. The function walks backwards through the chain using Policy::macro_block_before to enumerate prior macro blocks within the epoch.
If an attacker submits the genesis block's hash, the iteration reaches block height zero. At that point, macro_block_before cannot return a predecessor and triggers a panic with the message "No macro blocks before genesis block". Because the panic is not caught, the entire node process terminates, taking the node offline.
The attack vector is network-based and requires no authentication, privileges, or user interaction. The vulnerability impacts availability only — confidentiality and integrity are not affected.
Root Cause
The root cause is a reachable assertion [CWE-617] in Policy::macro_block_before. The function asserts the existence of a prior macro block without validating that the caller has handled the genesis boundary condition. The get_epoch_chunks caller fails to sanitize input or short-circuit when the requested hash corresponds to the genesis block, allowing user-controlled data to drive the iteration into an invalid state.
Attack Vector
An attacker connects to a target Nimiq full node over the standard peer-to-peer network and transmits a single RequestBatchSet message containing the genesis block hash. The genesis hash is public and constant per network, so no reconnaissance is required. Upon processing, the node panics and exits. Repeated connections can sustain a denial-of-service condition against restarted nodes or large portions of the network.
No verified exploit code is publicly available. Refer to the GitHub Security Advisory GHSA-vghx-352f-93jm and Pull Request #3745 for technical details on the fix.
Detection Methods for CVE-2026-46543
Indicators of Compromise
- Unexpected node termination with the panic message "No macro blocks before genesis block" in stderr or systemd journal logs
- Inbound peer-to-peer connections immediately preceding a node crash, particularly short-lived sessions that issue a single RequestBatchSet message
- Repeated restarts of nimiq-client or related processes correlated with peer activity from a small set of remote addresses
Detection Strategies
- Parse Nimiq node logs for the literal panic string and alert on any occurrence, since the message is unique to this code path
- Monitor process supervision events (systemd, Docker, Kubernetes) for abnormal restart counts on Nimiq full nodes
- Correlate peer connection logs with crash timestamps to identify the originating remote peer identifier
Monitoring Recommendations
- Forward node logs and process telemetry to a centralized log platform with alerts on panic signatures and restart frequency
- Track peer connection metadata, including peer IDs and source IP addresses, for nodes accepting public inbound connections
- Establish baselines for RequestBatchSet message volume and alert on anomalous spikes from individual peers
How to Mitigate CVE-2026-46543
Immediate Actions Required
- Upgrade all Nimiq full nodes to version 1.5.0 or later, which contains the official fix
- Inventory exposed nodes and confirm the running binary version matches the patched release
- Restrict inbound peer-to-peer connectivity to known, trusted peers where operationally feasible until patching is complete
Patch Information
The issue is patched in Nimiq core-rs-albatross version 1.5.0. The fix is implemented in Pull Request #3745 and shipped with the v1.5.0 release. Additional context is available in the GitHub Security Advisory GHSA-vghx-352f-93jm.
Workarounds
- Place Nimiq nodes behind a firewall or peer allowlist to limit who can send RequestBatchSet messages
- Use process supervisors with rate-limited restarts to reduce the impact of repeated crash attempts while patching is scheduled
- Monitor logs for the genesis-block panic signature and block originating peers at the network layer when detected
# Verify the installed Nimiq client version and upgrade if below 1.5.0
nimiq-client --version
# Example: pull and run the patched release container
docker pull ghcr.io/nimiq/core-rs-albatross:1.5.0
docker run --rm ghcr.io/nimiq/core-rs-albatross:1.5.0 --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
