CVE-2026-46542

Name of the Vulnerable Software and Affected Versions Nimiq versions prior to 1.4.0

Description A denial-of-service issue exists in the Ed25519 multisig delinearization code path. The function Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs uses .unwrap() during curve point decompression, causing a panic when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Because Ed25519PublicKey construction only validates byte length and not curve membership, invalid keys can crash the hosting process. A secondary panic occurs in Commitment::From<[u8; 32]> due to similar failing curve point decompression. This affects browser and desktop wallet users of the web-client WASM library and the nimiq-wallet crate when initiating a multisig operation with an attacker-supplied public key.

Recommendations Update to version 1.4.0. Only perform multisig operations with public keys received from trusted sources.