Vulnerability Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the first locator hash on the victim’s main chain is a micro block hash (not a macro block hash) causes said panic. The RequestMacroChain::handle handler selects the locator based only on "is on main chain", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro). This issue has been fixed in version 1.3.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nimiq | Nimiq Proof-Of-Stake | < 1.3.0 |
Related Weaknesses (CWE)
References
- https://github.com/nimiq/core-rs-albatross/commit/ae6c1e92342e72f80fd12accbe66eePatch
- https://github.com/nimiq/core-rs-albatross/pull/3660Issue TrackingPatch
- https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0Release Notes
- https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-48m6-486p-9jPatchVendor Advisory
FAQ
What is CVE-2026-34069?
CVE-2026-34069 is a vulnerability with a CVSS score of 5.3 (MEDIUM). nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the...
How severe is CVE-2026-34069?
CVE-2026-34069 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34069?
Check the references section above for vendor advisories and patch information. Affected products include: Nimiq Nimiq Proof-Of-Stake.