Compliance Impact

The vulnerability CVE-2026-34062 causes resource exhaustion through allocation of resources without limits or throttling, leading to partial denial of service. However, it does not impact confidentiality or integrity of data.

Since the vulnerability does not result in unauthorized access, data leakage, or modification, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

Nevertheless, the availability impact (partial denial of service) could indirectly affect service reliability requirements under some standards, but there is no explicit mention of compliance impact in the provided information.

Useful 0 Not Useful 0

Executive Summary

The vulnerability exists in the nimiq-libp2p network implementation prior to version 1.3.0. Specifically, the functions MessageCodec::read_request and read_response call read_to_end() on inbound substreams, allowing a remote peer to send only a partial frame and keep the substream open indefinitely.

Because the Behaviour::new function sets with_max_concurrent_streams to 1000, the node exposes a much larger stalled-slot budget than the library default, which can be exploited by an attacker.

This means an attacker can keep many substreams open by sending partial frames, potentially exhausting resources.

The vulnerability was fixed in version 1.3.0, and no known workarounds are available.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a remote peer to keep many substreams open with partial frames, effectively stalling the node's resources.

Because the node allows up to 1000 concurrent streams, an attacker can exhaust the stalled-slot budget, potentially leading to denial of service (DoS) conditions.

This can degrade the performance or availability of the node in the Nimiq network.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in nimiq-libp2p version 1.3.0. The immediate step to mitigate this vulnerability is to upgrade your nimiq-libp2p implementation to version 1.3.0 or later.

No known workarounds are available.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a remote peer sending partial frames and keeping substreams open indefinitely, leading to resource exhaustion by stalling many concurrent substreams. Detection would involve monitoring for unusually high numbers of stalled or half-open substreams or connections in the nimiq-libp2p network implementation.

Since the vulnerability is related to the behavior of the network streams and resource exhaustion, you can detect it by observing network connections and resource usage patterns on nodes running vulnerable versions (≤ 1.2.2).

Specific commands to detect this might include:

• Using system tools like `netstat` or `ss` to identify many open or half-open TCP connections related to the nimiq-libp2p service.
• Monitoring process resource usage with `top` or `htop` to detect unusually high memory or file descriptor consumption.
• Using application-level logging or metrics (if available) to track the number of concurrent streams or substreams and detect if the count approaches or exceeds the configured limit (1000).

No specific detection commands or tools are provided in the available resources.

Useful 0 Not Useful 0