CVE-2026-40094

Published: Mag 21, 2026 Last Modified: Mag 21, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low

Description

AI Translation Available

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect('every peer should have at least one address'). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0.

754

Improper Check for Unusual or Exceptional Conditions

Incomplete
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability
Potential Impacts:
Dos: Crash, Exit, Or Restart Unexpected State
Applicable Platforms
All platforms may be affected
Likelihood of Exploit: Medium
View CWE Details
https://github.com/nimiq/core-rs-albatross/pull/3715
https://github.com/nimiq/core-rs-albatross/pull/3715
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.…
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0
https://github.com/nimiq/core-rs-albatross/security/advisor…
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-c45m-6x25-3…