PT-2026-60696 · Crates.Io · Nimiq-Primitives

CVE-2026-54542

·

Publicado

2026-07-16

·

Atualizado

2026-07-16

CVSS v3.1

3.7

Baixa

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Impact

A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key nibbles.rs:332 / :341) indexes bytes[self.bytes len()..self.bytes len() + other.bytes len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).
KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put chunkchild.key()is stump()+, i.e. before proof.verify(), so no valid proof is required. As with the related child index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).

Patches

Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.

Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

Correção

Out of bounds Read

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54542
GHSA-5RG2-XV9J-GV5P

Produtos afetados

Nimiq-Primitives