CVE-2026-33184
Analyzed Analyzed - Analysis Complete
Integer Overflow Panic in nimiq/core-rs-albatross Peer Discovery

Publication date: 2026-04-03

Last updated on: 2026-05-05

Assigner: GitHub, Inc.

Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-05-05
Generated
2026-05-07
AI Q&A
2026-04-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33184
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nimiq nimiq_proof-of-stake From 1.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched in version 1.3.0 of nimiq/core-rs-albatross. Immediate mitigation involves upgrading to version 1.3.0 or later.


Can you explain this vulnerability to me?

The vulnerability exists in the nimiq/core-rs-albatross Rust implementation of the Nimiq Proof-of-Stake protocol. Before version 1.3.0, during the handshake process, the discovery handler accepts a peer-controlled limit value and stores it without validation. If this limit is set to zero, the handshake acknowledges it and returns zero contacts, making the session appear normal.

However, later in the session, when the periodic update path uses this limit value, it performs a calculation that causes an integer wraparound from 0 to usize::MAX (the maximum value for the usize type). This leads to a call to allocate a vector with an extremely large capacity, which causes the program to panic deterministically due to capacity overflow.

This issue results in a denial of service by crashing the application and was fixed in version 1.3.0.


How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) condition. An attacker can exploit the flaw by sending a handshake with a peer-controlled limit set to zero, which eventually triggers a capacity overflow and causes the application to panic and crash.

As a result, the affected system or service running the vulnerable nimiq/core-rs-albatross software may become unavailable or unstable, impacting reliability and availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart