CVE-2026-34065: CWE-252: Unchecked Return Value in nimiq nimiq-primitives
A vulnerability in nimiq-primitives versions prior to 1. 3. 0 allows an untrusted peer to cause a node to panic by sending an election macro block with an invalid compressed BLS voting key. This occurs because the code does not properly handle errors when uncompressing the voting key, leading to a panic and denial of service. The issue is fixed in version 1. 3. 0. No known workarounds exist.
AI Analysis
Technical Summary
The nimiq-primitives Rust library, used in Nimiq's implementation, contains a vulnerability (CVE-2026-34065) where an untrusted peer can trigger a panic in a node by announcing an election macro block with a validators set containing an invalid compressed BLS voting key. The panic occurs because the method voting_key.uncompress().unwrap() is called without checking for errors, causing the node to crash when invalid bytes are encountered. This vulnerability affects all versions prior to 1.3.0 and results in denial of service. The issue is addressed by a patch included in version 1.3.0.
Potential Impact
An attacker controlling an untrusted peer in the Nimiq network can cause a denial of service by crashing nodes through malformed election macro blocks. There is no impact on confidentiality or integrity, but availability is affected due to node panics. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to nimiq-primitives version 1.3.0 or later, which includes the patch that properly handles invalid compressed BLS voting keys and prevents node panics. No workarounds are available. Since this is not a cloud service, users must apply the update themselves.
CVE-2026-34065: CWE-252: Unchecked Return Value in nimiq nimiq-primitives
Description
A vulnerability in nimiq-primitives versions prior to 1. 3. 0 allows an untrusted peer to cause a node to panic by sending an election macro block with an invalid compressed BLS voting key. This occurs because the code does not properly handle errors when uncompressing the voting key, leading to a panic and denial of service. The issue is fixed in version 1. 3. 0. No known workarounds exist.
CVSS v3.1
Score 7.5high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The nimiq-primitives Rust library, used in Nimiq's implementation, contains a vulnerability (CVE-2026-34065) where an untrusted peer can trigger a panic in a node by announcing an election macro block with a validators set containing an invalid compressed BLS voting key. The panic occurs because the method voting_key.uncompress().unwrap() is called without checking for errors, causing the node to crash when invalid bytes are encountered. This vulnerability affects all versions prior to 1.3.0 and results in denial of service. The issue is addressed by a patch included in version 1.3.0.
Potential Impact
An attacker controlling an untrusted peer in the Nimiq network can cause a denial of service by crashing nodes through malformed election macro blocks. There is no impact on confidentiality or integrity, but availability is affected due to node panics. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to nimiq-primitives version 1.3.0 or later, which includes the patch that properly handles invalid compressed BLS voting keys and prevents node panics. No workarounds are available. Since this is not a cloud service, users must apply the update themselves.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9290319fe3cd2cde955a5
Added to database: 4/22/2026, 8:01:07 PM
Last enriched: 4/30/2026, 8:13:18 AM
Last updated: 6/5/2026, 7:24:09 AM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.