CVE-2026-46543
Received Received - Intake
Remote Peer Crash in Nimiq Full Node via Genesis Block Hash

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with "No macro blocks before genesis block". This issue has been patched in version 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-46543
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nimiq core-rs-albatross to 1.5.0 (exc)
nimiq core-rs-albatross 1.5.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-46543 is a vulnerability in the Nimiq blockchain implementation (core-rs-albatross) affecting versions up to v1.4.0. A remote attacker can crash any full node by sending a specially crafted RequestBatchSet message containing the genesis block's hash.

The issue occurs because the handler calls get_epoch_chunks, which iterates backward through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, this function panics with the error "No macro blocks before genesis block," causing the node to crash.

This panic leads to a denial-of-service condition, and the vulnerability has been patched in version v1.5.0.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing any full node running the affected versions of the Nimiq core-rs-albatross software.

An attacker can remotely trigger this crash without requiring any privileges or user interaction, potentially disrupting the availability of the node.

Since the node crashes due to a panic triggered by a crafted message, it can lead to instability or downtime in the blockchain network relying on these nodes.

Detection Guidance

This vulnerability can be detected by monitoring for crash events or panic logs related to the RequestBatchSet message handling in Nimiq nodes running versions prior to 1.5.0.

Specifically, look for log entries containing the panic message "No macro blocks before genesis block" which indicates the node has encountered the vulnerability.

Network detection could involve capturing and analyzing network traffic for RequestBatchSet messages containing the genesis block's hash, which is the trigger for the crash.

Suggested commands to detect this might include:

  • Checking node logs for panic messages: `grep -i "No macro blocks before genesis block" /path/to/nimiq/logs`
  • Using network packet capture tools like tcpdump or Wireshark to filter for RequestBatchSet messages containing the genesis block hash.
  • Example tcpdump command: `tcpdump -i <interface> -A 'tcp port <nimiq_port>' | grep '<genesis_block_hash>'`
Mitigation Strategies

The primary mitigation step is to upgrade the Nimiq core-rs-albatross software to version 1.5.0 or later, where the vulnerability has been patched.

Since no workaround exists, applying the official patch is the only effective way to prevent the denial-of-service caused by this vulnerability.

Additionally, monitoring network traffic for suspicious RequestBatchSet messages and restricting access to trusted peers can reduce exposure until the upgrade is applied.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46543. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart