CVE-2026-34065

HIGH

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

Title source: cna
STIX 2.1

Description

nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.0037
EPSS Percentile 28.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-252 CWE-755
Status published
Products (2)
crates.io/nimiq-primitives 0crates.io
nimiq/nimiq-primitives < 1.3.0
Published Apr 22, 2026
Tracked Since Apr 23, 2026