PT-2026-60696 · Crates.Io · Nimiq-Primitives
CVE-2026-54542
·
Publicado
2026-07-16
·
Atualizado
2026-07-16
CVSS v3.1
3.7
Baixa
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted
TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key nibbles.rs:332 / :341) indexes bytes[self.bytes len()..self.bytes len() + other.bytes len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put chunk → child.key() → is stump() → +, i.e. before proof.verify(), so no valid proof is required. As with the related child index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).Affected: core-rs-albatross <= 1.5.1 (
nimiq-primitives).Patches
Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit
eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
Correção
Out of bounds Read
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Nimiq-Primitives