CVE-2026-46540

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, when LightBlockchain::rebranch() adopts a fork chain whose tip is a macro block (checkpoint or election), it only updates self.head but fails to update self.macro head, self.election head, self.current validators, or store the election header in the chain store. This is in direct contrast with the full Blockchain::rebranch() at blockchain/src/blockchain/push.rs:504-518, which correctly updates all macro/election state when the new head is a macro block. After a rebranch to a macro block, the stale macro head causes subsequent macro blocks pushed via push() to be verified against the wrong predecessor via verify macro successor(&this.macro head). If the rebranch target was an election block, the stale current validators causes every subsequent block to fail verify validators(), completely stalling the light client's chain progression. This issue has been patched in version 1.4.0.