CVE-2026-46545

Summary: CVE-2026-46545 affects the Nimiq core-rs-albatross project (MerkleRadixTrie::put_chunk) and causes a remote, unauthenticated denial-of-service by a malicious state-sync peer sending a ROOT-keyed item in a ResponseChunk; upon put_raw attempting to store at the root, it panics with RootCan...

CVE-2026-46545 nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::putchunk allows any state-sync peer to crash any node performing state...

CVE-2026-46539 nimiq-primitives: BlockInclusionProof interlink issue when hops are empty

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a logic flaw in BlockInclusionProof::isblockproven causes the function to return true without performing any cryptographic verification when getinterlinkhops...

CVE-2026-46539

CVE-2026-46539 affects Nimiq (Rust, Albatross-based PoS). Prior to 1.4.0, a logic flaw in BlockInclusionProof::is_block_proven returns true without cryptographic verification when get_interlink_hops yields an empty hop list, specifically for the target block at the election block position immedia...

nimiq-account (>=0.1.0 <=0.2.0), nimiq-accounts (>=0.1.0 <=0.2.0) +15 more potentially affected by CVE-2026-46545 via nimiq-primitives (>=0.1.0 <=0.2.0)

nimiq-primitives CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0 and more Source cves: CVE-2026-46545 Source advisory: OSV:GHSA-MW3Q-R9WH-H2FF...

nimiq-account (>=0.1.0 <=0.2.0), nimiq-accounts (>=0.1.0 <=0.2.0) +15 more potentially affected by CVE-2026-46539 via nimiq-primitives (>=0.1.0 <=0.2.0)

nimiq-primitives CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0 and more Source cves: CVE-2026-46539 Source advisory: OSV:GHSA-799F-29JM-GR6C...

CVE-2026-34065

nimiq-primitives contains primitives e.g., block, account, transaction to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashi...

CVE-2026-34065 nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

nimiq-primitives contains primitives e.g., block, account, transaction to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashi...

CVE-2026-34065

nimiq-primitives contains primitives e.g., block, account, transaction to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashi...

nimiq-account (>=0.1.0 <=0.2.0), nimiq-accounts (>=0.1.0 <=0.2.0) +15 more potentially affected by CVE-2026-34065 via nimiq-primitives (>=0.1.0 <=0.2.0)

nimiq-primitives CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0 and more Source cves: CVE-2026-34065 Source advisory: OSV:GHSA-7C4J-2M43-2MGH...

EUVD-2026-25062

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals...

PT-2026-34546

Impact An untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashing an election macro header hashes validators and reaches Validators::voting keys, which calls validator.voting key.uncompress.unwr...