PT-2026-60696 · Crates.Io · Nimiq-Primitives
CVE-2026-54542
·
Published
2026-07-16
·
Updated
2026-07-16
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted
TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key nibbles.rs:332 / :341) indexes bytes[self.bytes len()..self.bytes len() + other.bytes len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put chunk → child.key() → is stump() → +, i.e. before proof.verify(), so no valid proof is required. As with the related child index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).Affected: core-rs-albatross <= 1.5.1 (
nimiq-primitives).Patches
Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit
eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
Fix
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nimiq-Primitives