{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.720Z", "datePublished": "2026-04-03T22:09:01.430Z", "dateUpdated": "2026-04-06T13:19:33.717Z"}, "containers": {"cna": {"title": "nimiq/core-rs-albatross: Discovery handshake limit could underflow and later provoke a deterministic overflow panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rm9-893q-vmhm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rm9-893q-vmhm"}, {"name": "https://github.com/nimiq/core-rs-albatross/pull/3664", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3664"}, {"name": "https://github.com/nimiq/core-rs-albatross/commit/8f60a2d75b74b55764ecf34bd4435f4961630595", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/commit/8f60a2d75b74b55764ecf34bd4435f4961630595"}, {"name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}], "affected": [{"vendor": "nimiq", "product": "core-rs-albatross", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:09:01.430Z"}, "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0."}], "source": {"advisory": "GHSA-5rm9-893q-vmhm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:19:23.883699Z", "id": "CVE-2026-33184", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:19:33.717Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-06T13:19:23.883699Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:19:29.216Z"}}], "cna": {"title": "nimiq/core-rs-albatross: Discovery handshake limit could underflow and later provoke a deterministic overflow panic", "source": {"advisory": "GHSA-5rm9-893q-vmhm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nimiq", "product": "core-rs-albatross", "versions": [{"status": "affected", "version": "< 1.3.0"}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rm9-893q-vmhm", "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rm9-893q-vmhm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nimiq/core-rs-albatross/pull/3664", "name": "https://github.com/nimiq/core-rs-albatross/pull/3664", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nimiq/core-rs-albatross/commit/8f60a2d75b74b55764ecf34bd4435f4961630595", "name": "https://github.com/nimiq/core-rs-albatross/commit/8f60a2d75b74b55764ecf34bd4435f4961630595", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:09:01.430Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33184", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:19:33.717Z", "dateReserved": "2026-03-17T22:16:36.720Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:09:01.430Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "matchCriteriaId": "F1D1AFE5-536A-424A-B7D3-AFCE79533E39", "versionEndIncluding": "1.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0."}], "id": "CVE-2026-33184", "lastModified": "2026-05-05T18:17:13.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:03.600", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nimiq/core-rs-albatross/commit/8f60a2d75b74b55764ecf34bd4435f4961630595"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3664"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-5rm9-893q-vmhm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "core-rs-albatross", "source": "cna", "vendor": "nimiq"}, "product": "core-rs-albatross", "vendor": "nimiq"}], "analysis": {"en": {"generated_at": "2026-04-13T19:40:17.336149+00:00", "value": {"mitigation_remediation": ["Apply the Nimiq core-rs-albatross update to version 1.3.0 or newer.", "Verify that your deployment is running the patched version by checking the library version in use.", "If upgrading is not immediately possible, monitor incoming peer connections and consider enforcing a minimum handshake limit on new peers to prevent zero or suspicious values."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vendors affected are Nimiq, product core-rs-albatross. All releases prior to version 1.3.0 are vulnerable. Version 1.3.0 and later contain the patch that validates the handshake limit and prevents the underflow. Users running the unpatched library should upgrade to 1.3.0 or later to avoid the issue.", "description_and_impact": "A flaw in the Nimiq core-rs-albatross peer discovery process allows an attacker to set a peer\u2010controlled limit to zero during the handshake phase. The value is stored unchanged and later used in a path that calculates a list size as the limit minus one. With a zero limit, this subtraction wraps to the maximum usize value, producing a very large number that causes the random selection routine to request a vector capacity that overflows, leading to a deterministic panic. The panic aborts the node, effectively denying service to all participants in the network. The weakness is reflected in CWE-191, an integer underflow leading to a subsequent overflow.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity with potential for widespread denial of service. EPSS shows a probability of exploitation lower than 1%, suggesting limited active attacks reported at this time. The vulnerability is not listed in the CISA KEV catalog, so no known widespread exploitation is documented. The attack vector is remote, wherein a malicious peer can supply the offending limit during handshake. Attackers only need to establish a network connection to a running node and send a specially crafted handshake. The determinism of the panic means once the sequence is triggered the node will crash without further input, making mitigation simple if the software is patched."}}}}, "created": "2026-04-06T21:22:13.065669+00:00", "updated": "2026-04-14T16:41:39.245717+00:00", "vendors": ["nimiq", "nimiq$PRODUCT$core-rs-albatross"]}