PT-2026-60696 · Crates.Io · Nimiq-Primitives

CVE-2026-54542

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Impact

A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key nibbles.rs:332 / :341) indexes bytes[self.bytes len()..self.bytes len() + other.bytes len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).
KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put chunkchild.key()is stump()+, i.e. before proof.verify(), so no valid proof is required. As with the related child index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).

Patches

Fixed in 1.6.0 via https://github.com/nimiq/core-rs-albatross/pull/3790 (commit eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.

Workarounds

None other than syncing only from trusted peers. Upgrade to 1.6.0.

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54542
GHSA-5RG2-XV9J-GV5P

Affected Products

Nimiq-Primitives