CVE-2026-34069: CWE-617: Reachable Assertion in nimiq core-rs-albatross
A reachable assertion vulnerability exists in nimiq/core-rs-albatross versions 1. 2. 2 and below. An unauthenticated peer can send a crafted RequestMacroChain message that causes the handler to panic due to an unexpected micro block hash being treated as a macro block hash. This leads to a denial of service condition by crashing the task handling the message. The issue is fixed in version 1. 3. 0.
AI Analysis
Technical Summary
The vulnerability in nimiq/core-rs-albatross (a Rust implementation of the Nimiq Proof-of-Stake protocol) arises when the RequestMacroChain message handler selects a block locator hash based solely on whether it is on the main chain, without verifying if it is a macro block. If an unauthenticated peer sends a RequestMacroChain message where the first locator hash is a micro block hash, the handler calls get_macro_blocks() and panics due to an unwrap() on a BlockchainError::BlockIsNotMacro error. This causes the handler task to crash, resulting in a denial of service. The flaw is identified as CWE-617 (Reachable Assertion) and affects versions prior to 1.3.0.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated network peer to cause a denial of service by crashing the RequestMacroChain message handler task. There is no impact on confidentiality or integrity. The CVSS 3.1 base score is 5.3 (medium severity), reflecting a network attack vector with no privileges required and no user interaction needed, but limited to availability impact.
Mitigation Recommendations
Upgrade to nimiq/core-rs-albatross version 1.3.0 or later, where this issue has been fixed. No other mitigation or workaround is indicated in the available data.
CVE-2026-34069: CWE-617: Reachable Assertion in nimiq core-rs-albatross
Description
A reachable assertion vulnerability exists in nimiq/core-rs-albatross versions 1. 2. 2 and below. An unauthenticated peer can send a crafted RequestMacroChain message that causes the handler to panic due to an unexpected micro block hash being treated as a macro block hash. This leads to a denial of service condition by crashing the task handling the message. The issue is fixed in version 1. 3. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nimiq/core-rs-albatross (a Rust implementation of the Nimiq Proof-of-Stake protocol) arises when the RequestMacroChain message handler selects a block locator hash based solely on whether it is on the main chain, without verifying if it is a macro block. If an unauthenticated peer sends a RequestMacroChain message where the first locator hash is a micro block hash, the handler calls get_macro_blocks() and panics due to an unwrap() on a BlockchainError::BlockIsNotMacro error. This causes the handler task to crash, resulting in a denial of service. The flaw is identified as CWE-617 (Reachable Assertion) and affects versions prior to 1.3.0.
Potential Impact
Exploitation of this vulnerability allows an unauthenticated network peer to cause a denial of service by crashing the RequestMacroChain message handler task. There is no impact on confidentiality or integrity. The CVSS 3.1 base score is 5.3 (medium severity), reflecting a network attack vector with no privileges required and no user interaction needed, but limited to availability impact.
Mitigation Recommendations
Upgrade to nimiq/core-rs-albatross version 1.3.0 or later, where this issue has been fixed. No other mitigation or workaround is indicated in the available data.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-25T16:21:40.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd877882d89c981f920dc4
Added to database: 4/14/2026, 12:16:56 AM
Last enriched: 4/21/2026, 6:15:07 AM
Last updated: 5/10/2026, 7:28:59 AM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.