{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32605", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.270Z", "datePublished": "2026-04-13T18:54:58.542Z", "dateUpdated": "2026-04-16T13:26:40.930Z"}, "containers": {"cna": {"title": "Nimiq: Remote crash via off-by-one signer bounds check in proposal buffer", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-193", "lang": "en", "description": "CWE-193: Off-by-one Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv"}, {"name": "https://github.com/nimiq/core-rs-albatross/pull/3661", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3661"}, {"name": "https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c"}, {"name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}], "affected": [{"vendor": "nimiq", "product": "core-rs-albatross", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T18:54:58.542Z"}, "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0."}], "source": {"advisory": "GHSA-g99c-h7j7-rfhv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:20:25.349665Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:26:40.930Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32605", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T13:20:25.349665Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:26:25.753Z"}}], "cna": {"title": "Nimiq: Remote crash via off-by-one signer bounds check in proposal buffer", "source": {"advisory": "GHSA-g99c-h7j7-rfhv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nimiq", "product": "core-rs-albatross", "versions": [{"status": "affected", "version": "< 1.3.0"}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv", "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nimiq/core-rs-albatross/pull/3661", "name": "https://github.com/nimiq/core-rs-albatross/pull/3661", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c", "name": "https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-193", "description": "CWE-193: Off-by-one Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-13T18:54:58.542Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32605", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:26:40.930Z", "dateReserved": "2026-03-12T14:54:24.270Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-13T18:54:58.542Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "matchCriteriaId": "CD0CAAD1-7626-4A4A-A6F8-9DC46FE50731", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0."}], "id": "CVE-2026-32605", "lastModified": "2026-04-24T17:11:26.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-13T20:16:33.787", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3661"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-193"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "core-rs-albatross", "source": "cna", "vendor": "nimiq"}, "product": "core-rs-albatross", "vendor": "nimiq"}], "analysis": {"en": {"generated_at": "2026-04-13T20:52:16.573333+00:00", "value": {"mitigation_remediation": ["Upgrade Nimiq core\u2011rs\u2011albatross to version 1.3.0 or newer"], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Remote Crash)"}, "threat_synthesis": {"affected_systems": "Nimiq\u2019s core\u2011rs\u2011albatross is a Rust implementation of the Nimiq Proof\u2011of\u2011Stake protocol and the Albatross consensus algorithm. Versions prior to 1.3.0 are affected. The flaw is present in the core\u2011rs\u2011albatross software distributed by the Nimiq project.", "description_and_impact": "An off\u2011by\u2011one error in the signer bounds check of the ProposalSender::send function allows an unauthenticated peer to cause a validator node to panic. By sending a signed Tendermint proposal where the signer field equals the number of validators, the check mistakenly accepts the value, leading to an out\u2011of\u2011bounds array access and a crash before any signature verification occurs. The vulnerability falls under CWE\u2011125 (Out\u2011of\u2011Bounds Read) and CWE\u2011193 (Off\u2011by\u2011One Errors), resulting in a Denial of Service that prevents the affected node from participating in the network.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact, but the absence of an EPSS score means the exact likelihood cannot be quantified from the data. The vulnerability is not listed in the CISA KEV catalog, yet it can be exploited over the network by an untrusted peer simply by broadcasting a malformed proposal. The attack does not require privileged access; the write\u2011time is minimal, making it feasible. As such, the risk to networks running vulnerable nodes is significant and warrants prompt remediation."}}}}, "created": "2026-04-14T16:18:24.727759+00:00", "updated": "2026-04-14T16:33:32.054429+00:00", "vendors": ["nimiq", "nimiq$PRODUCT$core-rs-albatross"]}