CVE-2026-34064: CWE-191: Integer Underflow (Wrap or Wraparound) in nimiq nimiq-account
CVE-2026-34064 is an integer underflow vulnerability in the nimiq-account Rust implementation prior to version 1. 3. 0. The issue occurs in the VestingContract::can_change_balance function, where an underflow panic can crash the node if an attacker creates a vesting contract with a total_amount exceeding the actual contract balance. This leads to a panic during mempool admission and block processing when an outgoing transaction triggers the vulnerable code path. The vulnerability has a medium severity with a CVSS score of 5. 3. A patch fixing this issue is included in version 1. 3. 0.
AI Analysis
Technical Summary
The vulnerability in nimiq-account versions before 1.3.0 arises from an integer underflow in the VestingContract::can_change_balance method. When new_balance is less than min_cap, the function attempts to return an error with balance calculated as self.balance - min_cap. If min_cap is greater than balance, this subtraction underflows, causing Coin::sub to panic and crash the node. An attacker can exploit this by creating a vesting contract with a total_amount that is not validated against the actual contract balance, enabling the underflow condition. Triggering an outgoing transaction then causes the panic during mempool admission and block processing, resulting in a denial of service. The issue is fixed in nimiq-account version 1.3.0.
Potential Impact
The vulnerability can cause the node to crash due to an integer underflow panic when processing certain vesting contracts and outgoing transactions. This results in a denial of service condition affecting availability. There is no direct impact on confidentiality or integrity reported. No known exploits are currently in the wild.
Mitigation Recommendations
A fix for this vulnerability is included in nimiq-account version 1.3.0. Users should upgrade to version 1.3.0 or later to remediate this issue. No workarounds are available. Patch status is not explicitly stated beyond inclusion in version 1.3.0, so users should verify upgrade success and monitor vendor advisories for further updates.
CVE-2026-34064: CWE-191: Integer Underflow (Wrap or Wraparound) in nimiq nimiq-account
Description
CVE-2026-34064 is an integer underflow vulnerability in the nimiq-account Rust implementation prior to version 1. 3. 0. The issue occurs in the VestingContract::can_change_balance function, where an underflow panic can crash the node if an attacker creates a vesting contract with a total_amount exceeding the actual contract balance. This leads to a panic during mempool admission and block processing when an outgoing transaction triggers the vulnerable code path. The vulnerability has a medium severity with a CVSS score of 5. 3. A patch fixing this issue is included in version 1. 3. 0.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nimiq-account versions before 1.3.0 arises from an integer underflow in the VestingContract::can_change_balance method. When new_balance is less than min_cap, the function attempts to return an error with balance calculated as self.balance - min_cap. If min_cap is greater than balance, this subtraction underflows, causing Coin::sub to panic and crash the node. An attacker can exploit this by creating a vesting contract with a total_amount that is not validated against the actual contract balance, enabling the underflow condition. Triggering an outgoing transaction then causes the panic during mempool admission and block processing, resulting in a denial of service. The issue is fixed in nimiq-account version 1.3.0.
Potential Impact
The vulnerability can cause the node to crash due to an integer underflow panic when processing certain vesting contracts and outgoing transactions. This results in a denial of service condition affecting availability. There is no direct impact on confidentiality or integrity reported. No known exploits are currently in the wild.
Mitigation Recommendations
A fix for this vulnerability is included in nimiq-account version 1.3.0. Users should upgrade to version 1.3.0 or later to remediate this issue. No workarounds are available. Patch status is not explicitly stated beyond inclusion in version 1.3.0, so users should verify upgrade success and monitor vendor advisories for further updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9290319fe3cd2cde9559f
Added to database: 4/22/2026, 8:01:07 PM
Last enriched: 4/30/2026, 8:11:01 AM
Last updated: 6/5/2026, 7:49:41 AM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.