Nimiq Rust Components Exposed to Consensus and Supply Manipulation Flaws
Two high-severity vulnerabilities were disclosed in Nimiq's Rust implementation affecting blockchain validation and consensus logic. CVE-2026-40093 impacts nimiq-blockchain version 1.3.0 and earlier because block timestamp validation checks only consistency with the parent block and does not enforce an upper bound against wall-clock time. A malicious block-producing validator can submit blocks dated far into the future, which alters reward calculations in Policy::supply_at() and batch_delay() and can inflate monetary supply beyond the intended emission schedule. The issue was mapped to CWE-1284 and published alongside GitHub advisory GHSA-49xc-52mp-cc9j.
A second flaw, CVE-2026-33471, affects nimiq-block versions prior to 1.3.0 in SkipBlockProof::verify, where quorum validation can be bypassed through out-of-range BitSet indices and u16 truncation. By spacing forged signer indices by 65536, a malicious validator can make multiple entries collide into the same valid slot and effectively reuse a single BLS signature to satisfy skip block proof checks without the required 2f+1 real signer slots. The vulnerability carries no known workaround, and the fix was released in version 1.3.0, highlighting risks to both consensus integrity and chain availability if unpatched nodes remain in use.
Timeline
Apr 22, 2026
CVE-2026-33471 is disclosed for nimiq-block
A new CVE entry disclosed a high-severity flaw in nimiq-block where SkipBlockProof::verify could be abused to bypass quorum validation by colliding out-of-range signer indices into valid u16 slots. The vulnerability allowed a malicious validator to satisfy verification with fewer than the required 2f+1 real signer slots.
Apr 22, 2026
Nimiq fixes skip block quorum bypass in version 1.3.0
Nimiq released version 1.3.0 to fix a flaw in nimiq-block's SkipBlockProof::verify that allowed out-of-range BitSet indices and u16 truncation to bypass the required skip block quorum. The issue affected versions prior to 1.3.0, and no workaround was noted.
Apr 9, 2026
CVE-2026-40093 and related GitHub advisory are published
A CVE entry for nimiq-blockchain was published describing a timestamp-validation flaw that let a malicious validator create blocks far in the future, impacting reward calculations and inflating supply beyond the intended emission schedule. GitHub also published the related advisory GHSA-49xc-52mp-cc9j the same day.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Critical Zebra Flaws Enable Zcash Node Crashes and Consensus Splits
Two high-severity vulnerabilities in **Zebra**, the Rust-based Zcash node implementation, could let attackers disrupt node availability and network consensus. **`CVE-2026-34202`** allows a remote, unauthenticated attacker to crash vulnerable nodes by sending a specially crafted **V5 transaction** that passes deserialization but triggers a panic during transaction ID calculation. The bug affects versions before **`zebrad 4.3.0`** and **`zebra-chain 6.0.1`**, creating a P2P-reachable denial-of-service condition with high availability impact. A second flaw, **`CVE-2026-34377`**, stems from improper verification in Zebra's transaction verification cache and could allow a malicious miner to cause a **consensus split**. By reusing a valid transaction ID with invalid authorization data, an attacker could make vulnerable Zebra nodes accept an invalid block while **invulnerable Zebra and Zcashd nodes** stay on the correct chain. The issue affects versions before **`zebrad 4.3.0`** and **`zebra-consensus 5.0.1`**; patches are available in **`zebrad 4.3.0`**, **`zebra-chain 6.0.1`**, and **`zebra-consensus 5.0.1`**.
1 weeks ago
libp2p-rust Gossipsub PRUNE Backoff Flaws Enable Remote DoS
Two high-severity flaws in the Rust implementation of **libp2p** allow remote peers to crash applications using the **Gossipsub** protocol by sending crafted `PRUNE` control messages with extremely large backoff values. **CVE-2026-33040** affects versions prior to `0.49.3`, where unchecked time arithmetic in the networking state machine can panic and cause a denial of service, while **CVE-2026-34219** affects versions prior to `0.49.4` through improper backoff expiry handling that triggers an `Instant + Duration` integer overflow during heartbeat processing. The bugs are reachable over normal Gossipsub peer connectivity, including TCP sessions using Noise with `mplex` or `yamux`, and do not require traditional authentication beyond establishing a protocol peer relationship. Both issues are classified under **CWE-190** for integer overflow, with the newer advisory also citing **CWE-617**, and both primarily impact availability by enabling unauthenticated or minimally authenticated remote attackers to force panics in exposed services. Maintainers patched the issues in **libp2p-rust** versions `0.49.3` and `0.49.4`, respectively.
1 months ago
rust-openssl Flaws Enable Memory Disclosure and Buffer Overwrite
Two high-severity vulnerabilities were disclosed in **rust-openssl**, the Rust bindings for OpenSSL, affecting multiple `0.9.x` and `0.10.x` releases prior to **`0.10.78`**. **`CVE-2026-41898`** affects versions from `0.9.24` up to, but not including, `0.10.78`, where several FFI trampoline callback paths passed a closure-returned `usize` to OpenSSL without validating it against the output buffer size. The flaw can trigger buffer overflows and leak adjacent memory to a network peer, and it is mapped to **`CWE-126`** and **`CWE-130`**. A second issue, **`CVE-2026-41681`**, affects versions from `0.10.39` up to, but not including, `0.10.78`, in `MdCtxRef::digest_final()`, which writes `EVP_MD_CTX_size(ctx)` bytes to the caller buffer without checking whether the buffer is large enough. The resulting out-of-bounds write can cause stack corruption and is reachable from safe Rust, with the weakness classified as **`CWE-121`**. Both vulnerabilities were addressed in **`rust-openssl 0.10.78`**, with public advisories, code references, and fix details released alongside the CVE records.
1 weeks ago