CVE-2026-46545 Overview
CVE-2026-46545 is a remote, unauthenticated denial-of-service vulnerability in Nimiq, a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. The flaw resides in the MerkleRadixTrie::put_chunk function and affects nodes performing state synchronization. Any state-sync peer can crash freshly joining nodes or recovering nodes by sending crafted chunk data. The issue is patched in version 1.5.0 of core-rs-albatross. The vulnerability is classified under [CWE-248] (Uncaught Exception).
Critical Impact
A single malicious state-sync peer can crash any Nimiq node attempting to join or recover, disrupting blockchain consensus participation and network availability.
Affected Products
- Nimiq core-rs-albatross prior to version 1.5.0
- Nimiq Proof-of-Stake nodes performing state synchronization
- Nodes implementing the Albatross consensus algorithm via the affected library
Discovery Timeline
- 2026-06-10 - CVE-2026-46545 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46545
Vulnerability Analysis
The vulnerability exists in the MerkleRadixTrie::put_chunk routine, which processes chunks of trie state received from peers during state synchronization. When a peer supplies malformed or unexpected chunk data, the function triggers an uncaught exception or panic, terminating the node process.
Because state synchronization is required for fresh nodes joining the network and for nodes recovering after downtime, the impact targets the most vulnerable phase of a node's lifecycle. The attacker does not need credentials, prior trust, or any authenticated relationship with the victim node. Any peer that participates in state-sync exchanges can deliver the crashing payload.
The network attack vector combined with low complexity and no privileges required makes the vulnerability trivially reachable. Confidentiality and integrity are not impacted, but availability is fully compromised for affected nodes.
Root Cause
The root cause is an unhandled error condition inside MerkleRadixTrie::put_chunk when validating or applying incoming chunk data. Instead of returning a recoverable error to the synchronization layer, the function propagates a panic that aborts the node process. This maps to [CWE-248] Uncaught Exception.
Attack Vector
An attacker operates a malicious or compromised Nimiq peer that serves state-sync data. When a victim node initiates state synchronization and selects the malicious peer, the attacker returns a crafted chunk payload. Processing the chunk crashes the victim node before synchronization completes, preventing the node from joining or rejoining the network.
No code execution example is reproduced here. Refer to the GitHub Security Advisory GHSA-mw3q-r9wh-h2ff and the fix in Pull Request #3762 for technical details on the crashing condition and the validation added by the patch.
Detection Methods for CVE-2026-46545
Indicators of Compromise
- Repeated node process crashes or panics during state synchronization, with stack traces referencing MerkleRadixTrie::put_chunk.
- Failure of fresh or recovering nodes to complete initial sync despite stable network connectivity.
- Connections to unknown or untrusted state-sync peers immediately preceding node termination.
Detection Strategies
- Monitor node logs for panic messages, abnormal exits, or supervisor restart loops that correlate with the state-sync phase.
- Track peer identifiers supplying chunks immediately before crashes to identify suspect state-sync providers.
- Deploy synthetic Nimiq nodes on patched versions and compare sync stability against unpatched canaries to detect active abuse.
Monitoring Recommendations
- Alert on Nimiq node process restarts exceeding baseline frequency, especially during boot or recovery.
- Forward node logs and crash telemetry to a centralized SIEM for correlation across operator-controlled nodes.
- Track the version string reported by each operated node to confirm all instances run core-rs-albatross 1.5.0 or later.
How to Mitigate CVE-2026-46545
Immediate Actions Required
- Upgrade all Nimiq nodes to core-rs-albatross version 1.5.0 or later before initiating any new state synchronization.
- Halt fresh node onboarding and recovery operations on unpatched binaries until upgrades complete.
- Audit currently configured state-sync peers and remove any untrusted or unverified entries.
Patch Information
The vulnerability is fixed in core-rs-albatross v1.5.0. The fix is implemented in Pull Request #3762, which adds proper error handling inside MerkleRadixTrie::put_chunk so malformed chunks return a graceful error instead of panicking. Operators should rebuild and redeploy node binaries from the patched release.
Workarounds
- Restrict state synchronization to a curated allowlist of trusted peers operated by known parties until patching is complete.
- Run node processes under a supervisor that automatically restarts on crash, while accepting that sync will not progress until upgrade.
- Delay non-essential node restarts and new joins until version 1.5.0 is rolled out across operator infrastructure.
# Verify and upgrade core-rs-albatross to the patched release
git clone https://github.com/nimiq/core-rs-albatross.git
cd core-rs-albatross
git checkout v1.5.0
cargo build --release
# Confirm the running binary reports v1.5.0 before resuming state sync
./target/release/nimiq-client --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
