CVE-2026-46542

Published: Giu 10, 2026 Last Modified: Giu 10, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,3
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: low

Description

AI Translation Available

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs called .unwrap() on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Ed25519PublicKey construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the hosting process. This issue has been patched in version 1.4.0.

617

Reachable Assertion

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Crash, Exit, Or Restart
Applicable Platforms
Languages: Not Language-Specific, C, Java, Rust
View CWE Details
https://github.com/nimiq/core-rs-albatross/pull/3713
https://github.com/nimiq/core-rs-albatross/pull/3713
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.…
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0
https://github.com/nimiq/core-rs-albatross/security/advisor…
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-h9cc-w26m-j…