CVE-2026-33184: CWE-191: Integer Underflow (Wrap or Wraparound) in nimiq core-rs-albatross
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.
AI Analysis
Technical Summary
The vulnerability occurs because the discovery handler in nimiq/core-rs-albatross accepts a peer-controlled limit during handshake without validation. When this limit is zero, the subsequent computation subtracts one, causing an integer underflow that wraps to usize::MAX. This large value is then used as a capacity argument in Vec::with_capacity, causing a deterministic panic due to capacity overflow in the rand 0.9.2 crate's choose_multiple() function. This leads to a denial of service by crashing the node. The flaw affects versions before 1.3.0 and has been fixed in version 1.3.0.
Potential Impact
The vulnerability allows an unauthenticated remote attacker controlling the handshake limit parameter to cause a denial of service by crashing the node process. There is no impact on confidentiality or integrity, but availability is severely affected due to the panic triggered by the integer underflow and capacity overflow.
Mitigation Recommendations
Upgrade to nimiq/core-rs-albatross version 1.3.0 or later, where this integer underflow issue has been patched. Since the vendor advisory confirms the fix in version 1.3.0, applying this official update fully mitigates the vulnerability.
CVE-2026-33184: CWE-191: Integer Underflow (Wrap or Wraparound) in nimiq core-rs-albatross
Description
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors limit = 0 and returns zero contacts, which makes the session look benign. Later, after the same session reaches Established, the periodic update path computes self.peer_list_limit.unwrap() as usize - 1. With limit = 0, that wraps to usize::MAX and then in rand 0.9.2, choose_multiple() immediately attempts Vec::with_capacity(amount), which deterministically panics with capacity overflow. This issue has been patched in version 1.3.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability occurs because the discovery handler in nimiq/core-rs-albatross accepts a peer-controlled limit during handshake without validation. When this limit is zero, the subsequent computation subtracts one, causing an integer underflow that wraps to usize::MAX. This large value is then used as a capacity argument in Vec::with_capacity, causing a deterministic panic due to capacity overflow in the rand 0.9.2 crate's choose_multiple() function. This leads to a denial of service by crashing the node. The flaw affects versions before 1.3.0 and has been fixed in version 1.3.0.
Potential Impact
The vulnerability allows an unauthenticated remote attacker controlling the handshake limit parameter to cause a denial of service by crashing the node process. There is no impact on confidentiality or integrity, but availability is severely affected due to the panic triggered by the integer underflow and capacity overflow.
Mitigation Recommendations
Upgrade to nimiq/core-rs-albatross version 1.3.0 or later, where this integer underflow issue has been patched. Since the vendor advisory confirms the fix in version 1.3.0, applying this official update fully mitigates the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T22:16:36.720Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d03f860a160ebd92619e11
Added to database: 4/3/2026, 10:30:30 PM
Last enriched: 4/11/2026, 9:27:03 AM
Last updated: 5/20/2026, 8:50:00 PM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.