The vulnerability CVE-2026-28402 affects the nimiq/core-rs-albatross software, a Rust-based implementation of the Nimiq Proof-of-Stake blockchain protocol using the Albatross consensus algorithm. Specifically, prior to version 1.2.2, the software fails to properly validate the integrity check value binding between the macro block proposal header's body_root field and the actual hash of the macro block body. A malicious or compromised validator node, when elected as proposer, can craft a macro block proposal where the header.body_root does not match the hash of the macro body. The proposal verification process only validates the header but omits verifying that body_root equals the hash of the body, allowing the invalid proposal to pass initial checks. However, subsequent code assumes this binding is valid and attempts to process the macro block accordingly. This mismatch causes the validator software to panic and crash, resulting in denial of service for that validator node. The vulnerability is categorized under CWE-354, indicating improper validation of integrity check values. The impact is limited to validator nodes and does not affect non-validator participants or the confidentiality of data. The patch released in version 1.2.2 adds the missing verification step to ensure the body_root matches the hash of the macro body during proposal checks, preventing malformed proposals from causing crashes. No known workarounds are available, so upgrading is essential. The CVSS v3.1 score is 7.1 (High), with attack vector network, low attack complexity, requiring privileges (validator proposer role), no user interaction, unchanged scope, no confidentiality impact, low integrity impact, and high availability impact due to node crashes. There are no known exploits in the wild at this time.

This vulnerability primarily impacts validator nodes participating in the Nimiq Proof-of-Stake network using the core-rs-albatross implementation before version 1.2.2. A successful exploit can cause targeted validator nodes to crash, resulting in denial of service. This reduces the number of active validators, potentially weakening network consensus stability and resilience. While it does not directly compromise confidentiality or integrity of blockchain data, the availability impact can disrupt validator operations and delay block finalization. In a worst-case scenario, if multiple validators are compromised or maliciously exploited, it could degrade network performance or open avenues for further consensus manipulation attacks. Organizations running validator infrastructure face operational risks, including downtime, loss of staking rewards, and reputational damage. Since the attack requires the attacker to be an elected proposer, the threat is limited to insiders or compromised validator nodes rather than external unauthenticated attackers. However, the ease of exploitation (low complexity) and network attack vector mean that once a validator is compromised, exploitation is straightforward. The lack of workarounds means patching is the only effective mitigation. Overall, the threat poses a significant availability risk to validator operators and the stability of the Nimiq blockchain network.

The primary mitigation is to upgrade all validator nodes running the nimiq/core-rs-albatross software to version 1.2.2 or later, which includes the patch that enforces the integrity check between header.body_root and the macro body hash. Validator operators should prioritize this upgrade to prevent potential crashes from malformed macro block proposals. Additionally, operators should implement strict security controls to prevent validator node compromise, including hardened host configurations, secure key management, and network segmentation to reduce the risk of malicious insiders or external attackers gaining proposer privileges. Monitoring validator node logs for unexpected panics or crashes can help detect exploitation attempts. Since no workarounds exist, maintaining up-to-date backups and failover validator nodes can improve resilience. Network-level protections, such as filtering or rate limiting proposals from suspicious validators, may help but require coordination within the validator community. Finally, validator operators should stay informed of updates from the Nimiq project and apply security patches promptly.