PT-2026-60695 · Crates.Io · Nimiq-Primitives
CVE-2026-54541
·
Publicado
2026-07-16
·
Atualizado
2026-07-16
CVSS v3.1
3.7
Baixa
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Impact
A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted
TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify() calls TrieProofNode::child index() (primitives/src/trie/trie proof node.rs:94), which unconditionally unwraps KeyNibbles::get(self.key.len()). Because is prefix of returns true for two equal keys, execution reaches get(len), which returns None, and the unwrap() panics.The panic is reached from untrusted network input (
ResponseChunk → commit chunks → put chunk → proof.verify()) before any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).Affected: core-rs-albatross <= 1.5.1 (
nimiq-primitives).Patches
Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit
41d35ace). child index now rejects equal-length keys and returns MerkleRadixTrieError::WrongPrefix instead of unwrapping.Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Nimiq-Primitives