PT-2026-60695 · Crates.Io · Nimiq-Primitives

CVE-2026-54541

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v3.1

3.7

Baixa

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Impact

A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify() calls TrieProofNode::child index() (primitives/src/trie/trie proof node.rs:94), which unconditionally unwraps KeyNibbles::get(self.key.len()). Because is prefix of returns true for two equal keys, execution reaches get(len), which returns None, and the unwrap() panics.
The panic is reached from untrusted network input (ResponseChunkcommit chunksput chunkproof.verify()) before any cryptographic proof verification, so the attacker does not need to produce a valid proof. Exploitation requires the attacker to be selected as the victim's sync peer while the victim is performing state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).

Patches

Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3789 (commit 41d35ace). child index now rejects equal-length keys and returns MerkleRadixTrieError::WrongPrefix instead of unwrapping.

Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54541
GHSA-46WQ-28CX-MHW4

Produtos afetados

Nimiq-Primitives