GHSA-48m6-486p-9j8p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-48m6-486p-9j8p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-48m6-486p-9j8p/GHSA-48m6-486p-9j8p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-48m6-486p-9j8p
- Aliases
-
- CVE-2026-34069
- Published
- 2026-04-13T16:36:00Z
- Modified
- 2026-04-13T17:13:52.508563Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- nimiq-consensus panics via RequestMacroChain micro-block locator
- Details
-
Impact
An unauthenticated p2p peer can cause the
RequestMacroChainmessage handler task to panic by sending aRequestMacroChainmessage where the first locator hash that is on the victim’s main chain is a micro block hash (not a macro block hash).In
RequestMacroChain::handle, the handler selects the locator based only on "is on main chain", then callsget_macro_blocks()and panics via.unwrap()when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro).Patches
The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3660) is formally released as part of v1.3.0.
Workarounds
No known workarounds.
- Database specific
{ "cwe_ids": [ "CWE-617" ], "github_reviewed_at": "2026-04-13T16:36:00Z", "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-48m6-486p-9j8p
- https://github.com/nimiq/core-rs-albatross/pull/3660
- https://github.com/nimiq/core-rs-albatross/commit/ae6c1e92342e72f80fd12accbe66ee80dd6802ac
- https://github.com/nimiq/core-rs-albatross
- https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0
Affected packages
crates.io / nimiq-consensus
Package
- Name
- nimiq-consensus
- View open source insights on deps.dev
- Purl
- pkg:cargo/nimiq-consensus