Executive Summary

CVE-2026-32605 is a vulnerability in the Rust package nimiq-validator caused by an off-by-one error in the signer bounds check within the ProposalSender::send function. The code incorrectly uses a greater-than (>) comparison instead of a greater-than-or-equal-to (>=) comparison when validating the signer index against the number of validators. This allows an untrusted peer to submit a signed Tendermint proposal message with a signer index equal to the number of validators, which is out-of-bounds.

When this happens, the function get_validator_by_slot_band() is called with an invalid index, causing a panic due to out-of-bounds access before any signature verification occurs. This leads to a remote crash of the validator node without requiring privileges or user interaction.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by any untrusted peer sending a crafted proposal message over the network to cause a panic and crash the validator node. The impact is a denial of service (DoS) due to the validator crashing remotely without any privileges or user interaction.

The vulnerability affects availability (causing downtime or service interruption) but does not impact confidentiality or integrity of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or panics in the validator node caused by out-of-bounds access when processing signed Tendermint proposal messages.

Specifically, look for panic logs related to the function get_validator_by_slot_band() indicating an out-of-bounds index error triggered by a signer index equal to the number of validators.

Since the attack can be performed remotely by sending crafted proposals over the network, network traffic inspection for unusual or malformed Tendermint proposal messages with signer indices equal to the number of validators may help detect exploitation attempts.

There are no explicit commands provided in the resources, but suggested approaches include:

• Check application logs for panic or crash messages related to validator processing.
• Use network packet capture tools (e.g., tcpdump, Wireshark) to filter and analyze Tendermint proposal messages for signer indices equal to the number of validators.
• Run tests similar to those added in the fix, such as sending proposals with signer indices equal to or greater than the number of validators to see if they are rejected or cause crashes.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade the nimiq/core-rs-albatross package to version 1.3.0 or later, where the off-by-one error in the signer bounds check has been fixed.

This fix changes the signer index validation from a greater-than (>) to a greater-than-or-equal-to (>=) comparison, preventing out-of-bounds access and panics caused by maliciously crafted proposals.

There are no known workarounds or alternative mitigations other than applying the patch.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability impacts the availability of the affected system by allowing an untrusted peer to remotely crash a validator node without requiring any privileges or user interaction.

It does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise confidentiality or integrity, it is unlikely to directly violate compliance requirements related to data protection standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, the availability impact could indirectly affect compliance if system downtime leads to failure in meeting service availability requirements stipulated by certain regulations.

Useful 0 Not Useful 0