CVE-2026-34063: CWE-617: Reachable Assertion in nimiq network-libp2p
A reachable assertion vulnerability exists in Nimiq's network-libp2p prior to version 1. 3. 0. The network-libp2p discovery protocol handler incorrectly assumes only one inbound and one outbound discovery substream per connection. If a remote peer opens a second discovery substream on the same connection, the handler triggers a panic, causing the networking task to crash and the node's p2p networking to go offline until restarted. This denial-of-service condition affects availability but does not impact confidentiality or integrity. The issue is fixed in version 1. 3. 0. No known workarounds are available.
AI Analysis
Technical Summary
Nimiq's network-libp2p prior to v1.3.0 uses a libp2p ConnectionHandler state machine for discovery that assumes a maximum of one inbound and one outbound discovery substream per connection. If a remote peer opens or negotiates a second discovery protocol substream on the same connection, the handler triggers a panic with messages like "Inbound already connected" or "Outbound already connected" instead of failing closed. This causes the networking task (swarm) to crash remotely, taking the node's p2p networking offline until a restart occurs. The vulnerability is tracked as CWE-617 (Reachable Assertion) and is addressed by a patch released in version 1.3.0. No workarounds are known.
Potential Impact
Exploitation of this vulnerability results in a denial-of-service condition by crashing the networking task of the affected node, causing its p2p networking to go offline until the node is restarted. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication.
Mitigation Recommendations
Upgrade to network-libp2p version 1.3.0 or later where the vulnerability is patched. No known workarounds exist. Since this is not a cloud service, remediation depends on applying the official fix.
CVE-2026-34063: CWE-617: Reachable Assertion in nimiq network-libp2p
Description
A reachable assertion vulnerability exists in Nimiq's network-libp2p prior to version 1. 3. 0. The network-libp2p discovery protocol handler incorrectly assumes only one inbound and one outbound discovery substream per connection. If a remote peer opens a second discovery substream on the same connection, the handler triggers a panic, causing the networking task to crash and the node's p2p networking to go offline until restarted. This denial-of-service condition affects availability but does not impact confidentiality or integrity. The issue is fixed in version 1. 3. 0. No known workarounds are available.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nimiq's network-libp2p prior to v1.3.0 uses a libp2p ConnectionHandler state machine for discovery that assumes a maximum of one inbound and one outbound discovery substream per connection. If a remote peer opens or negotiates a second discovery protocol substream on the same connection, the handler triggers a panic with messages like "Inbound already connected" or "Outbound already connected" instead of failing closed. This causes the networking task (swarm) to crash remotely, taking the node's p2p networking offline until a restart occurs. The vulnerability is tracked as CWE-617 (Reachable Assertion) and is addressed by a patch released in version 1.3.0. No workarounds are known.
Potential Impact
Exploitation of this vulnerability results in a denial-of-service condition by crashing the networking task of the affected node, causing its p2p networking to go offline until the node is restarted. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication.
Mitigation Recommendations
Upgrade to network-libp2p version 1.3.0 or later where the vulnerability is patched. No known workarounds exist. Since this is not a cloud service, remediation depends on applying the official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.866Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9290319fe3cd2cde95599
Added to database: 4/22/2026, 8:01:07 PM
Last enriched: 4/30/2026, 8:13:11 AM
Last updated: 6/6/2026, 1:13:46 PM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.