CVE-2026-46545

Name of the Vulnerable Software and Affected Versions core-rs-albatross (affected versions not specified)

Description A remote, unauthenticated denial-of-service issue exists in the MerkleRadixTrie::put chunk function. A malicious state-sync peer can cause a node to crash by responding to a RequestChunk with a ResponseChunk::Chunk where the first TrieItem.key is the empty (ROOT) key. Although the chunk passes sorting, range, and Merkle-proof validation, the put raw function attempts to store a value at the root node by calling TrieNode::put value(). This results in a RootCantHaveValue error and triggers a panic that aborts the node process. This affects any node performing state synchronization, including fresh nodes during initial download and existing nodes recovering from data loss.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.