CVE-2026-34066

Name of the Vulnerable Software and Affected Versions nimiq-blockchain versions prior to 1.3.0

Description In the Rust implementation of Nimiq, the HistoryStore::put historic txns function uses an assert! macro to enforce invariants regarding the block number of a HistoricTransaction, requiring it to be within the same epoch and the macro block being pushed. During a history sync, a peer can provide a malformed history list via the history: &[HistoricTransaction] input passed into Blockchain::push history sync, which can violate these invariants and trigger a panic. This occurs because extend history sync calls this.history store.add to history(..) before the computed history root is compared against the macro block header (block.history root()), allowing the panic to happen before rejection checks are executed.

Recommendations Update to version 1.3.0.