CVE-2026-35468— nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs without the history index
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35468
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nimiq/core-rs-albatross: Panic in history index request handlers when a full node runs without the history index
Source: NVD (National Vulnerability Database)
Vulnerability Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, two peer-facing consensus request handlers assume that the history index is always available and call blockchain.history_store.history_index().unwrap() directly. That assumption is false by construction. HistoryStoreProxy::history_index() explicitly returns None for the valid HistoryStoreProxy::WithoutIndex state. when a full node is syncing or otherwise running without the history index, a remote peer can send RequestTransactionsProof or RequestTransactionReceiptsByAddress and trigger an Option::unwrap() panic on the request path. This issue has been patched in version 1.3.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加检查的返回值
Source: NVD (National Vulnerability Database)
Vulnerability Title
core-rs-albatross 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
core-rs-albatross是Nimiq开源的一个Albatross协议的Rust实现。 core-rs-albatross 1.3.0之前版本存在安全漏洞,该漏洞源于未正确处理None返回值,可能导致触发恐慌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nimiq | core-rs-albatross | < 1.3.0 | - |
II. Public POCs for CVE-2026-35468
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35468
Please Login to view more intelligence information
Same Patch Batch · nimiq · 2026-04-03 · 3 CVEs total
| CVE-2026-33184 | 7.5 HIGH | nimiq/core-rs-albatross: Discovery handshake limit could underflow and later provoke a det |
| CVE-2026-34061 | 4.9 MEDIUM | nimiq/core-rs-albatross: Macro block proposal interlink bug |
IV. Related Vulnerabilities
Same product: core-rs-albatross
- CVE-2026-34069
nimiq-consensus panics via RequestMacroChain micro-block loc - CVE-2026-32605
Nimiq: Remote crash via off-by-one signer bounds check in pr - CVE-2026-40093
nimiq-blockchain is missing a wall-clock upper bound on bloc - CVE-2026-33184
nimiq/core-rs-albatross: Discovery handshake limit could und - CVE-2026-34061
nimiq/core-rs-albatross: Macro block proposal interlink bug
Same vendor: nimiq
- CVE-2026-34068
nimiq-transaction: UpdateValidator transactions allows votin - CVE-2026-34067
nimiq-transaction vulnerable to panic via `HistoryTreeProof` - CVE-2026-34066
nimiq-blockchain: Peer-triggerable panic during history sync - CVE-2026-34065
nimiq-primitives: Node crash due to missing interlink valida - CVE-2026-34064
nimiq-account: Vesting insufficient funds error can panic
Same weakness: CWE-252
- CVE-2026-34065
nimiq-primitives: Node crash due to missing interlink valida - CVE-2026-35344
uutils coreutils dd Silent Data Corruption via Unconditional - CVE-2026-31830
sigstore-ruby verifier returns success for DSSE bundles with - CVE-2026-28691
ImageMagick has an uninitialized pointer dereference in JBIG - CVE-2026-0723
Unchecked Return Value in GitLab
V. Comments for CVE-2026-35468
No comments yet