CVE-2026-34067: CWE-617: Reachable Assertion in nimiq nimiq-transaction
CVE-2026-34067 is a low-severity vulnerability in the nimiq-transaction Rust library used by Nimiq. Before version 1. 3. 0, the function HistoryTreeProof::verify contains an assertion that panics if a malformed proof has mismatched lengths between history and positions arrays. Since the proof data is attacker-controlled from untrusted peer-to-peer network responses, a malicious actor could cause the application to crash by sending a crafted proof with length mismatch. The issue is fixed in version 1. 3. 0. No workarounds are known.
AI Analysis
Technical Summary
The vulnerability exists in the nimiq-transaction Rust library prior to version 1.3.0, where the HistoryTreeProof::verify method uses an assert_eq! macro to check that the lengths of history and positions arrays are equal. This assertion is reachable with attacker-controlled input derived from untrusted p2p network responses. If an attacker sends a malformed inclusion proof with mismatched lengths, the assertion triggers a panic, causing a denial of service via application crash. The patch resolving this issue is included in version 1.3.0 of the library.
Potential Impact
An attacker controlling network responses can cause the application using nimiq-transaction versions before 1.3.0 to crash by sending a malformed proof with length mismatches. This results in a denial of service condition. There is no impact on confidentiality or integrity. The CVSS score is 3.1 (low severity) reflecting the limited impact and required user interaction.
Mitigation Recommendations
Upgrade to nimiq-transaction version 1.3.0 or later, where the assertion panic is fixed. No known workarounds exist. Since this is a library vulnerability, ensure that all dependent software using nimiq-transaction is updated accordingly.
CVE-2026-34067: CWE-617: Reachable Assertion in nimiq nimiq-transaction
Description
CVE-2026-34067 is a low-severity vulnerability in the nimiq-transaction Rust library used by Nimiq. Before version 1. 3. 0, the function HistoryTreeProof::verify contains an assertion that panics if a malformed proof has mismatched lengths between history and positions arrays. Since the proof data is attacker-controlled from untrusted peer-to-peer network responses, a malicious actor could cause the application to crash by sending a crafted proof with length mismatch. The issue is fixed in version 1. 3. 0. No workarounds are known.
CVSS v3.1
Score 3.1low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the nimiq-transaction Rust library prior to version 1.3.0, where the HistoryTreeProof::verify method uses an assert_eq! macro to check that the lengths of history and positions arrays are equal. This assertion is reachable with attacker-controlled input derived from untrusted p2p network responses. If an attacker sends a malformed inclusion proof with mismatched lengths, the assertion triggers a panic, causing a denial of service via application crash. The patch resolving this issue is included in version 1.3.0 of the library.
Potential Impact
An attacker controlling network responses can cause the application using nimiq-transaction versions before 1.3.0 to crash by sending a malformed proof with length mismatches. This results in a denial of service condition. There is no impact on confidentiality or integrity. The CVSS score is 3.1 (low severity) reflecting the limited impact and required user interaction.
Mitigation Recommendations
Upgrade to nimiq-transaction version 1.3.0 or later, where the assertion panic is fixed. No known workarounds exist. Since this is a library vulnerability, ensure that all dependent software using nimiq-transaction is updated accordingly.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e92c8e19fe3cd2cdeac9a0
Added to database: 4/22/2026, 8:16:14 PM
Last enriched: 4/30/2026, 8:13:22 AM
Last updated: 6/5/2026, 11:41:11 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.