GHSA-VGHX-352F-93JM
Vulnerability from github – Published: 2026-05-21 19:46 – Updated: 2026-05-21 19:46
VLAI
Summary
nimiq-blockchain: Genesis batch set request
Details
Impact
A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with "No macro blocks before genesis block".
Patches
The patch for this vulnerability is formally released as part of v1.5.0.
Workarounds
No Workaround, although requesting the genesis batch set is not used during normal operation.
Resources
See PR.
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nimiq-blockchain"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46543"
],
"database_specific": {
"cwe_ids": [
"CWE-617"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-21T19:46:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nA remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block\u0027s hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_before` panics with \"No macro blocks before genesis block\".\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3745) is formally released as part of [v1.5.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0).\n\n### Workarounds\nNo Workaround, although requesting the genesis batch set is not used during normal operation.\n\n### Resources\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3745).",
"id": "GHSA-vghx-352f-93jm",
"modified": "2026-05-21T19:46:15Z",
"published": "2026-05-21T19:46:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/pull/3745"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596"
},
{
"type": "PACKAGE",
"url": "https://github.com/nimiq/core-rs-albatross"
},
{
"type": "WEB",
"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "nimiq-blockchain: Genesis batch set request"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…