CVE-2026-40094
nimiq-blockchain PeerContact Crash via Empty Address List
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nimiq | nimiq-blockchain | to 1.4.0 (exc) |
| nimiq | nimiq-blockchain | 1.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the nimiq-blockchain software versions 1.3.0 and earlier. It involves the network-libp2p discovery component accepting signed PeerContact updates from untrusted peers and storing them in a peer contact book. A PeerContact can legally have an empty list of addresses, but the software later assumes every peer has at least one address. If an attacker inserts a signed PeerContact with an empty addresses list, any call to get_address_book can cause the node or RPC task to panic and crash.
This issue was fixed in version 1.4.0.
How can this vulnerability impact me? :
This vulnerability can cause the node or RPC task of the nimiq-blockchain software to crash unexpectedly when it processes a malicious PeerContact with an empty address list. This can lead to denial of service, disrupting the availability of the node and potentially affecting network operations or services relying on it.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade nimiq-blockchain to version 1.4.0 or later, where the issue has been fixed.