CVE-2026-40094

Name of the Vulnerable Software and Affected Versions nimiq-blockchain versions prior to 1.4.0

Description In the network-libp2p discovery component, the system accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book. Because there is no validation to ensure the addresses list is not empty, an attacker can insert a signed peer contact with an empty addresses list. When the known peers() function in PeerContactBook attempts to build an address book, it calls addresses.first().expect(), which triggers a panic if the list is empty. Consequently, any call to the 'get address book' endpoint via RPC or web client can cause the node or RPC task to crash.

Recommendations Update to version 1.4.0.