{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.867Z", "datePublished": "2026-04-22T19:52:43.916Z", "dateUpdated": "2026-04-23T14:17:59.735Z"}, "containers": {"cna": {"title": "nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm"}, {"name": "https://github.com/nimiq/core-rs-albatross/pull/3659", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3659"}, {"name": "https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a"}, {"name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}], "affected": [{"vendor": "nimiq", "product": "nimiq-transaction", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T19:52:43.916Z"}, "descriptions": [{"lang": "en", "value": "nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."}], "source": {"advisory": "GHSA-264v-m8fm-76jm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:17:49.301869Z", "id": "CVE-2026-34067", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:17:59.735Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34067", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T16:21:40.867Z", "datePublished": "2026-04-22T19:52:43.916Z", "dateUpdated": "2026-04-23T14:17:59.735Z"}, "containers": {"cna": {"title": "nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "lang": "en", "description": "CWE-617: Reachable Assertion", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm"}, {"name": "https://github.com/nimiq/core-rs-albatross/pull/3659", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3659"}, {"name": "https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a"}, {"name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}], "affected": [{"vendor": "nimiq", "product": "nimiq-transaction", "versions": [{"version": "< 1.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T19:52:43.916Z"}, "descriptions": [{"lang": "en", "value": "nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."}], "source": {"advisory": "GHSA-264v-m8fm-76jm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34067", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:17:49.301869Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:17:55.804Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "matchCriteriaId": "CD0CAAD1-7626-4A4A-A6F8-9DC46FE50731", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq-transaction provides the transaction primitive to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryTreeProof::verify` panics on a malformed proof where `history.len() != positions.len()` due to `assert_eq!(history.len(), positions.len())`. The proof object is derived from untrusted p2p responses (`ResponseTransactionsProof.proof`) and is therefore attacker-controlled at the network boundary until validated. A malicious peer could trigger a crash by returning a crafted inclusion proof with a length mismatch. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."}], "id": "CVE-2026-34067", "lastModified": "2026-04-24T17:12:48.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T21:17:07.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nimiq/core-rs-albatross/commit/6ff0800e8e031363e787c827d8d033e5694e4e6a"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/nimiq/core-rs-albatross/pull/3659"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-264v-m8fm-76jm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nimiq-transaction", "source": "cna", "vendor": "nimiq"}, "product": "nimiq-transaction", "vendor": "nimiq"}], "analysis": {"en": {"generated_at": "2026-04-28T20:41:40.091207+00:00", "value": {"mitigation_remediation": ["Upgrade nimiq-transaction to version\u202f1.3.0 or later.", "Restart the node after applying the upgrade to ensure the patch takes effect.", "Configure a process supervisor (e.g., systemd, runit) to automatically restart the node on crash, reducing downtime."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Nodes running Nimiq clients that include the nimiq\u2011transaction component before version\u202f1.3.0 are vulnerable. The flaw is present in any Rust Nimiq client that processes peer\u2011to\u2011peer transaction proofs. Versions 1.3.0 and later contain the patch.\n", "description_and_impact": "A verification function in Nimiq\u2019s Rust transaction library asserts that the length of a proof matches the number of positions it contains. When a proof with a length mismatch is supplied, the assertion triggers a panic, causing the node to crash. The proof data originates from untrusted peer\u2011to\u2011peer responses, so an attacker can easily craft a malicious inclusion proof to induce the crash. The resulting denial of service manifests as node termination or temporary unavailability, disrupting transaction processing and consensus.\n", "risk_and_exploitability": "The CVSS score of 3.1 indicates low severity, consistent with a crash that compromises availability but not confidentiality or integrity. The EPSS score is less than 1%, indicating a very low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Because the input comes from the network boundary, an adversary can trigger the panic by sending a crafted proof via the P2P protocol. While an exploit is straightforward once the node accepts untrusted proof data, the impact is confined to service disruption."}}}}, "created": "2026-04-27T19:53:06.811376+00:00", "updated": "2026-04-28T20:45:16.605768+00:00", "vendors": ["nimiq", "nimiq$PRODUCT$nimiq-transaction"]}