CVE-2026-34065

HIGH

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

Title source: cna

Description

nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

References (4)

Scores

CVSS v3 7.5
EPSS 0.0004
EPSS Percentile 12.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-252 CWE-755
Status published
Products (2)
crates.io/nimiq-primitives 0crates.io
nimiq/nimiq-primitives < 1.3.0
Published Apr 22, 2026
Tracked Since Apr 23, 2026