CVE-2026-33471: nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation
(updated )
SkipBlockProof::verify computes its quorum check using BitSet.len(), then iterates BitSet indices and casts each usize index to u16 (slot as u16) for slot lookup. If an attacker can get a SkipBlockProof verified where MultiSignature.signers contains out-of-range indices spaced by 65536, these indices inflate len() but collide onto the same in-range u16 slot during aggregation.
This makes it possible for a malicious validator with far fewer than 2f+1 real signer slots to pass skip block proof verification by multiplying a single BLS signature by the same factor.
References
- github.com/advisories/GHSA-6973-8887-87ff
- github.com/nimiq/core-rs-albatross
- github.com/nimiq/core-rs-albatross/commit/d02059053181ed8ddad6b59a0adfd661ef5cd823
- github.com/nimiq/core-rs-albatross/pull/3657
- github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-6973-8887-87ff
- nvd.nist.gov/vuln/detail/CVE-2026-33471
Code Behaviors & Features
Detect and mitigate CVE-2026-33471 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →