CVE-2026-34065: nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals
(updated )
An untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key.
Hashing an election macro header hashes validators and reaches Validators::voting_keys(), which calls validator.voting_key.uncompress().unwrap() and panics on invalid bytes.
References
- github.com/advisories/GHSA-7c4j-2m43-2mgh
- github.com/nimiq/core-rs-albatross
- github.com/nimiq/core-rs-albatross/commit/e10eaebcd7774e5da6d0ff5e88ed13503474f0ff
- github.com/nimiq/core-rs-albatross/pull/3662
- github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
- github.com/nimiq/core-rs-albatross/security/advisories/GHSA-7c4j-2m43-2mgh
- nvd.nist.gov/vuln/detail/CVE-2026-34065
Code Behaviors & Features
Detect and mitigate CVE-2026-34065 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →