CVE-2026-34064
Integer Underflow Panic in Nimiq VestingContract Causes Node Crash
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nimiq | nimiq_proof-of-stake | to 1.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a panic (crash) in the Nimiq node when processing certain vesting or HTLC contracts with invalid creation data where the total_amount exceeds the contract balance. Detection involves monitoring for node crashes or panics related to arithmetic underflow during transaction processing or mempool admission.
Specifically, you can detect attempts to exploit this vulnerability by identifying transactions that create vesting contracts with a total_amount field greater than the transaction value, which is invalid and triggers the panic.
Since the vulnerability occurs during transaction verification and block processing, you can monitor logs for panic messages or errors related to 'InsufficientFunds' errors involving underflow or arithmetic panics.
No explicit detection commands are provided in the resources, but general approaches include:
- Check node logs for panic or crash messages related to vesting contract transactions.
- Monitor for transactions creating vesting contracts with suspiciously high total_amount values exceeding transaction values.
- Use blockchain node debugging or tracing tools to inspect incoming transactions and contract creation data for invalid parameters.
Because the vulnerability is fixed in version 1.3.0, upgrading to this version is the recommended mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
The vulnerability exists in the nimiq-account Rust implementation prior to version 1.3.0. Specifically, the function VestingContract::can_change_balance returns an error when the new balance is less than a minimum cap, but it constructs this error using a subtraction that can cause an underflow panic if the minimum cap is greater than the current balance.
Because the vesting contract creation data allows encoding a total amount without validating that it is less than or equal to the actual contract balance, an attacker can create a contract state where the minimum cap is greater than the balance. When the attacker broadcasts a transaction, this triggers a panic due to underflow during mempool admission and block processing, causing the node to crash.
This vulnerability was fixed in version 1.3.0, and no known workarounds are available.
How can this vulnerability impact me? :
This vulnerability can cause a node running the affected nimiq-account version to crash when processing certain transactions crafted by an attacker.
The impact is a denial of service (DoS) condition on the node, as the underflow panic causes the node to stop functioning properly during mempool admission and block processing.
There is no indication of data loss or unauthorized data modification, but the interruption of node operation can affect availability.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the nimiq-account component to version 1.3.0 or later, where the patch for this issue is included.
No known workarounds are available, so applying the update is the only effective mitigation.