CVE-2026-34064
Received Received - Intake
Integer Underflow Panic in Nimiq VestingContract Causes Node Crash

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34064
EUVD
EUVD-2026-25060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nimiq nimiq_proof-of-stake to 1.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the nimiq-account Rust implementation prior to version 1.3.0. Specifically, the function VestingContract::can_change_balance returns an error when the new balance is less than a minimum cap, but it constructs this error using a subtraction that can cause an underflow panic if the minimum cap is greater than the current balance.

Because the vesting contract creation data allows encoding a total amount without validating that it is less than or equal to the actual contract balance, an attacker can create a contract state where the minimum cap is greater than the balance. When the attacker broadcasts a transaction, this triggers a panic due to underflow during mempool admission and block processing, causing the node to crash.

This vulnerability was fixed in version 1.3.0, and no known workarounds are available.

Impact Analysis

This vulnerability can cause a node running the affected nimiq-account version to crash when processing certain transactions crafted by an attacker.

The impact is a denial of service (DoS) condition on the node, as the underflow panic causes the node to stop functioning properly during mempool admission and block processing.

There is no indication of data loss or unauthorized data modification, but the interruption of node operation can affect availability.

Detection Guidance

This vulnerability manifests as a panic (crash) in the Nimiq node when processing certain vesting or HTLC contracts with invalid creation data where the total_amount exceeds the contract balance. Detection involves monitoring for node crashes or panics related to arithmetic underflow during transaction processing or mempool admission.

Specifically, you can detect attempts to exploit this vulnerability by identifying transactions that create vesting contracts with a total_amount field greater than the transaction value, which is invalid and triggers the panic.

Since the vulnerability occurs during transaction verification and block processing, you can monitor logs for panic messages or errors related to 'InsufficientFunds' errors involving underflow or arithmetic panics.

No explicit detection commands are provided in the resources, but general approaches include:

  • Check node logs for panic or crash messages related to vesting contract transactions.
  • Monitor for transactions creating vesting contracts with suspiciously high total_amount values exceeding transaction values.
  • Use blockchain node debugging or tracing tools to inspect incoming transactions and contract creation data for invalid parameters.

Because the vulnerability is fixed in version 1.3.0, upgrading to this version is the recommended mitigation.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the nimiq-account component to version 1.3.0 or later, where the patch for this issue is included.

No known workarounds are available, so applying the update is the only effective mitigation.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart