CVE-2026-46542— nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
Possible ATT&CK Techniques 1AI
T1499 · Endpoint Denial of ServiceAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nimiq | core-rs-albatross | < 1.4.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46542
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs called .unwrap() on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Ed25519PublicKey construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the hosting process. This issue has been patched in version 1.4.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
可达断言
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nimiq | core-rs-albatross | < 1.4.0 | - |
II. Public POCs for CVE-2026-46542
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-46542
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-46542 (1)
Vendor Advisories for CVE-2026-46542 (1)
Vendor Pages for CVE-2026-46542 (1)
Same Patch Batch · nimiq · 2026-06-09 · 7 CVEs total
| CVE-2026-46545 | 7.5 HIGH | nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item |
| CVE-2026-46541 | 7.5 HIGH | Nimiq network-libp2p: DHT query poisoning via first-record verification failure |
| CVE-2026-46540 | 6.5 MEDIUM | Nimiq light-blockchain: Light blockchain rebranch issue |
| CVE-2026-46539 | 5.9 MEDIUM | nimiq-primitives: BlockInclusionProof interlink issue when hops are empty |
| CVE-2026-46543 | 5.3 MEDIUM | nimiq-blockchain: Genesis batch set request |
| CVE-2026-44505 | 5.3 MEDIUM | Nimiq network-libp2p: Untrusted peer can wedge DHT |
IV. Related Vulnerabilities
Same product: core-rs-albatross
- CVE-2026-46545
nimiq-primitives: Panic DoS in trie chunk processing via ROO - CVE-2026-46543
nimiq-blockchain: Genesis batch set request - CVE-2026-46541
Nimiq network-libp2p: DHT query poisoning via first-record v - CVE-2026-46540
Nimiq light-blockchain: Light blockchain rebranch issue - CVE-2026-46539
nimiq-primitives: BlockInclusionProof interlink issue when h
Same vendor: nimiq
- CVE-2026-46545
nimiq-primitives: Panic DoS in trie chunk processing via ROO - CVE-2026-46543
nimiq-blockchain: Genesis batch set request - CVE-2026-46541
Nimiq network-libp2p: DHT query poisoning via first-record v - CVE-2026-46540
Nimiq light-blockchain: Light blockchain rebranch issue - CVE-2026-46539
nimiq-primitives: BlockInclusionProof interlink issue when h
V. Comments for CVE-2026-46542
No comments yet