PT-2026-22404 · Unknown · Nimiq/Core-Rs-Albatross

1Seal

Published

2026-02-27

Updated

2026-03-04

CVE-2026-28402

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Name of the Vulnerable Software and Affected Versions nimiq/core-rs-albatross versions prior to 1.2.2

Description A malicious or compromised validator, if elected as a proposer, could publish a macro block proposal where the header.body root does not match the actual macro body hash. Proposal verification may pass due to validation of the header without validating the binding between body root and the hash of the body. Subsequent code expecting this binding may panic and crash validators. This issue only affects validator nodes. The vulnerable component is the macro block proposal verification path. The header.body root and hash(body) are key variables involved in this issue.

Recommendations Update to version 1.2.2 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-354

Related Identifiers

CVE-2026-28402

GHSA-7WH6-RMXX-WW47

Affected Products

Nimiq/Core-Rs-Albatross

PT-2026-22404 · Unknown · Nimiq/Core-Rs-Albatross

CVE-2026-28402

Weakness Enumeration

Related Identifiers

Affected Products

References · 11