CVE-2026-33471

Name of the Vulnerable Software and Affected Versions nimiq-block versions prior to 1.3.0

Description The SkipBlockProof::verify() function computes its quorum check using BitSet.len(), then iterates through BitSet indices and casts each usize index to u16 (slot as u16) for slot lookup. An integer overflow in BitSet indexing allows an attacker to provide a SkipBlockProof where MultiSignature.signers contains out-of-range indices spaced by 65536. These indices inflate the length returned by len() but collide onto the same in-range u16 slot during aggregation. This enables a malicious validator with significantly fewer than 2f+1 real signer slots to bypass skip block proof verification by multiplying a single BLS signature by the same factor.

Recommendations Update to version 1.3.0.