PT-2026-41387 · Nimiq · Nimiq-Blockchain

Piravlos

·

Published

2026-05-15

·

Updated

2026-05-20

·

CVE-2026-40092

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions nimiq-blockchain versions prior to 1.4.0
Description A malicious network peer can crash a Nimiq full node by publishing a crafted Kademlia DHT record. The record contains a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64. When the node's DHT verifier calls the TaggedSigned::verify function, execution reaches Ed25519Signature::from bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from bytes call fails because ed25519 zebra::Signature::try from rejects slices that are not 64 bytes, causing the unwrap() function to panic and crash the node. This issue specifically affects the Ed25519 implementation, whereas the BLS TaggedPublicKey implementation correctly handles the error.
Recommendations Update to version 1.4.0.

Fix

Unchecked Return Value

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-40092
GHSA-27W2-87XV-37C6

Affected Products

Nimiq-Blockchain