Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-40094— nimiq-blockchain: network-libp2p untrusted peer can crash address book via empty peer contact addresses

CVSS 4.3 · Medium EPSS 0.03% · P10

Possible ATT&CK Techniques 1AI

T1499 · Endpoint Denial of Service

Affected Version Matrix 1

VendorProductVersion RangeStatus
nimiqcore-rs-albatross< 1.4.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40094

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
nimiq-blockchain: network-libp2p untrusted peer can crash address book via empty peer contact addresses
Source: NVD (National Vulnerability Database)
Vulnerability Description
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect("every peer should have at least one address"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对因果或异常条件的不恰当检查
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nimiq 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nimiq是Nimiq开源的一个Albatross协议的Rust实现。 Nimiq 1.3.0及之前版本存在代码问题漏洞,该漏洞源于网络发现接受来自不可信对等节点的签名PeerContact更新并存储,当PeerContact包含空地址列表时,调用get_address_book可能导致恐慌并崩溃节点或RPC任务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
nimiqcore-rs-albatross < 1.4.0 -

II. Public POCs for CVE-2026-40094

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-40094

登录查看更多情报信息。

Patches & Fixes for CVE-2026-40094 (1)

Vendor Advisories for CVE-2026-40094 (1)

Vendor Pages for CVE-2026-40094 (1)

IV. Related Vulnerabilities

Same product: core-rs-albatross
Same vendor: nimiq
Same weakness: CWE-754

V. Comments for CVE-2026-40094

No comments yet

Leave a comment