CVE-2026-46543: nimiq-blockchain: Genesis batch set request
(updated )
A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block’s hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with “No macro blocks before genesis block”.
References
- github.com/advisories/GHSA-vghx-352f-93jm
- github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596
- github.com/nimiq/core-rs-albatross/pull/3745
- github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm
- nvd.nist.gov/vuln/detail/CVE-2026-46543
Code Behaviors & Features
Detect and mitigate CVE-2026-46543 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →