CVE-2026-34069: Remote Denial of Service via Reachable Assertion in Nimiq Albatross Consensus
Vulnerability ID: CVE-2026-34069
CVSS Score: 5.3
Published: 2026-04-13
The Nimiq Albatross consensus implementation suffers from a remote Denial of Service (DoS) vulnerability. An unauthenticated peer can trigger a reachable assertion by sending a crafted RequestMacroChain message containing a micro block hash, leading to a Rust panic and subsequent crash of the consensus task.
TL;DR
Unauthenticated remote attackers can crash Nimiq Albatross nodes (versions <= 1.2.2) via a crafted P2P message that exploits a missing block type check, triggering a reachable assertion (CWE-617) and an application panic.
⚠️ Exploit Status: POC
Technical Details
- CVE ID: CVE-2026-34069
- CVSS v3.1 Score: 5.3
- CWE ID: CWE-617 (Reachable Assertion)
- Attack Vector: Network
- Privileges Required: None
- Exploit Status: Proof of Concept
- CISA KEV: Not Listed
Affected Systems
- Nimiq Albatross (nimiq-consensus component)
-
nimiq/core-rs-albatross: <= 1.2.2 (Fixed in:
1.3.0)
Code Analysis
Commit: ae6c1e9
Fix DoS in RequestMacroChain handler by verifying block type
Mitigation Strategies
- Upgrade the Nimiq Albatross application to version 1.3.0 or higher.
- Audit Rust codebases for unsafe
.unwrap()usage on external network inputs.
Remediation Steps:
- Download the Nimiq Albatross version 1.3.0 release.
- Stop the currently running node process.
- Replace the binary or update the package.
- Restart the node and verify successful P2P synchronization.
References
- Nimiq Security Advisory GHSA-48m6-486p-9j8p
- Fix Commit in nimiq/core-rs-albatross
- Fix Pull Request
- Official Nimiq v1.3.0 Release
Read the full report for CVE-2026-34069 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)