CVE-2026-46541
Deferred Deferred - Pending Action

DHT Record Verification Flaw in Nimiq

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-46541

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nimiq core-rs-albatross to 1.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Nimiq Rust implementation of the Proof-of-Stake protocol, specifically in the handle_dht_get() function. The issue is that the DhtResults accumulator is only initialized when the first Distributed Hash Table (DHT) record passes verification. If the first record is from a malicious node and fails verification, the accumulator is never created. As a result, all subsequent valid records are discarded with "DHT inconsistent state" errors.

This flaw allows an attacker to poison DHT queries by sending a failing first record, causing denial of service by ignoring legitimate responses.

Impact Analysis

The vulnerability can lead to a denial of service condition where legitimate DHT responses are discarded. This means that the system relying on these DHT queries may fail to receive valid data, potentially disrupting network operations or consensus mechanisms.

Since the attack can be performed remotely without privileges or user interaction, it poses a high risk to availability.

Detection Guidance

This vulnerability manifests as "DHT inconsistent state" errors when the first DHT record fails verification, causing subsequent valid records to be discarded. Detection involves monitoring logs or outputs for these specific error messages related to DHT queries.

Since the issue occurs in the handle_dht_get() function of the Nimiq core-rs-albatross implementation, you can check your system logs or application debug output for occurrences of "DHT inconsistent state" errors.

No specific commands are provided in the available resources, but general approaches include:

  • Using log inspection commands such as `grep 'DHT inconsistent state' /path/to/nimiq/logs` to find relevant error messages.
  • Monitoring network traffic for unusual DHT query failures or dropped responses using tools like `tcpdump` or `wireshark` focusing on the DHT protocol traffic.
Mitigation Strategies

The primary mitigation step is to upgrade the Nimiq core-rs-albatross software to version 1.4.0 or later, where this vulnerability has been patched.

This update includes fixes that harden the DHT query handling against poisoning attempts, preventing the denial of service caused by discarded valid records.

Until the upgrade can be applied, monitoring for the "DHT inconsistent state" errors and isolating or blocking malicious DHT nodes may help reduce the impact.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46541. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart