The vulnerability in nimiq/core-rs-albatross (CVE-2026-33471) arises from improper input validation in the SkipBlockProof::verify function. The function calculates quorum by using BitSet.len() and iterates over BitSet indices, casting each usize index to u16 for slot lookup. Prior to version 1.3.0, an attacker can craft a SkipBlockProof with MultiSignature.signers containing out-of-range indices spaced by 65536. These indices artificially inflate the length count but collide onto the same in-range u16 slot during aggregation, allowing a single BLS signature to be multiplied and pass verification despite having fewer than 2f+1 valid signers. This undermines the integrity of the consensus protocol. The issue is fixed in version 1.3.0. No vendor advisory or patch link is provided, but the fix is included in the stated version.

This vulnerability allows a malicious validator to bypass the quorum check in the Nimiq Proof-of-Stake consensus protocol by exploiting integer casting collisions in signature verification. As a result, consensus can be improperly reached with fewer than the required number of legitimate signers, potentially leading to consensus manipulation or denial of service. The CVSS score of 9.6 reflects critical impact with high integrity and availability consequences. There are no known exploits in the wild as of the published date.

Upgrade to nimiq/core-rs-albatross version 1.3.0 or later, where the vulnerability is patched. No known workarounds exist. Since this is a client-side Rust implementation, users must update their deployments to the fixed version to remediate the issue. Patch status is confirmed by the version release notes indicating the fix is included in v1.3.0.