{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34062", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.866Z", "datePublished": "2026-04-22T19:23:36.838Z", "dateUpdated": "2026-04-23T12:57:42.075Z"}, "containers": {"cna": {"title": "Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr"}, {"name": "https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508"}, {"name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}], "affected": [{"vendor": "nimiq", "product": "network-libp2p", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T19:23:36.838Z"}, "descriptions": [{"lang": "en", "value": "nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available."}], "source": {"advisory": "GHSA-gh7r-qh4p-q4fr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T12:57:31.642650Z", "id": "CVE-2026-34062", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:57:42.075Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T12:57:31.642650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T12:57:36.694Z"}}], "cna": {"title": "Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response", "source": {"advisory": "GHSA-gh7r-qh4p-q4fr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nimiq", "product": "network-libp2p", "versions": [{"status": "affected", "version": "< 1.3.0"}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr", "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508", "name": "https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T19:23:36.838Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34062", "state": "PUBLISHED", "dateUpdated": "2026-04-23T12:57:42.075Z", "dateReserved": "2026-03-25T16:21:40.866Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-22T19:23:36.838Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "matchCriteriaId": "CD0CAAD1-7626-4A4A-A6F8-9DC46FE50731", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `MessageCodec::read_request` and `read_response` call `read_to_end()` on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because `Behaviour::new` also sets `with_max_concurrent_streams(1000)`, the node exposes a much larger stalled-slot budget than the library default. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available."}], "id": "CVE-2026-34062", "lastModified": "2026-04-24T17:11:49.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T20:16:40.530", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nimiq/core-rs-albatross/commit/c021a5337b808c73571b44999f9753051bac7508"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gh7r-qh4p-q4fr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "network-libp2p", "source": "cna", "vendor": "nimiq"}, "product": "network-libp2p", "vendor": "nimiq"}], "analysis": {"en": {"generated_at": "2026-04-27T08:30:14.973566+00:00", "value": {"mitigation_remediation": ["Upgrade the Nimiq network-libp2p crate to version\u202f1.3.0 or later to apply the fixed resource limits", "Restart affected nodes to ensure the new version is loaded and blocks any pending stalled substreams", "Verify or configure stream limits to avoid excessive concurrent connections, ensuring the node does not allow more than a safe threshold of open substreams", "Monitor memory usage and peer connections for abnormal spikes indicative of stalled substreams"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via resource exhaustion"}, "threat_synthesis": {"affected_systems": "Vendors affected are Nimiq\u2019s network-libp2p implementation. The flaw exists in all releases before v1.3.0 of the libp2p package. Any Nimiq node running a pre-1.3.0 version of the network-libp2p crate is potentially vulnerable and can be targeted by an external peer that can establish a libp2p connection to the node.", "description_and_impact": "The vulnerability exists in the libp2p networking stack used by Nimiq, specifically in the MessageCodec::read_request and read_response functions. These functions call read_to_end() on inbound substreams, allowing a remote peer to send only part of a frame and then keep the substream open. Because the protocol permits a large number of concurrent streams (with_max_concurrent_streams set to 1000), the node can end up with many stalled substreams that consume memory and other resources. This is a classic allocation of resources without limits or throttling flaw (CWE-770) that can lead to a denial of service if an attacker exhausts the node's capacity.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity, and no EPSS score is currently available. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it is not yet actively exploited in the wild. However, exploitation requires only a remote communication channel via the libp2p protocol, which is typically open to public peers. An attacker can create many partially transmitted frames to keep substreams open, thereby exhausting memory and causing the node to become unresponsive or crash. The lack of throttling or resource limits increases the feasibility and potential impact of such an attack."}}}}, "created": "2026-04-27T18:42:00.087260+00:00", "updated": "2026-04-27T19:53:12.108934+00:00", "vendors": ["nimiq", "nimiq$PRODUCT$network-libp2p"]}