CVE-2026-34064

Source
https://cve.org/CVERecord?id=CVE-2026-34064
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34064.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34064
Aliases
Published
2026-04-22T19:43:04.453Z
Modified
2026-07-08T08:12:50.028446024Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
nimiq-account: Vesting insufficient funds error can panic
Details

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error. The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34064.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-191"
    ]
}
References

Affected packages

Git / github.com/nimiq/core-rs-albatross

Affected ranges

Type
GIT
Repo
https://github.com/nimiq/core-rs-albatross
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:nimiq:nimiq_proof-of-stake:*:*:*:*:*:rust:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.3.0"
        }
    ]
}

Affected versions

v0.*
v0.1.0
v0.1.0-rc.0
v0.1.0-rc.1
v0.1.0-rc.2
v0.1.0-rc.3
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.11.4
v0.11.5
v0.12.0
v0.12.1
v0.13.0
v0.13.1
v0.14.0
v0.15.0
v0.16.0
v0.16.1
v0.17.0
v0.18.0
v0.19.0
v0.2.0
v0.2.1
v0.2.2
v0.20.0
v0.20.1
v0.20.2
v0.20.3
v0.20.4
v0.20.5
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.22.2
v0.22.3
v0.23.0
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0
v1.*
v1.0.0
v1.0.0-rc.0
v1.0.0-rc.1
v1.0.0-rc.2
v1.0.0-rc.3
v1.0.0-rc.4
v1.0.0-rc.5
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34064.json"