Nimiq network-libp2p Crash Vulnerability: CVE-2026-34063
The National Vulnerability Database has detailed CVE-2026-34063, a high-severity vulnerability (CVSS 7.5) affecting Nimiq’s network-libp2p prior to version 1.3.0. This component, an implementation of the Nimiq network based on libp2p, uses a ConnectionHandler state machine for discovery. The critical flaw lies in its assumption of a single inbound and outbound discovery substream per connection.
Should a remote peer initiate the discovery protocol substream a second time on the same connection, the handler fails catastrophically with a panic, specifically “Inbound already connected” or “Outbound already connected.” This isn’t a graceful failure; it crashes the node’s P2P networking task (the swarm), effectively taking the node offline until it’s manually restarted. The National Vulnerability Database states no known workarounds are available, making patching the only viable defense.
This is a denial-of-service vector that’s trivial to exploit from an attacker’s perspective — no authentication, no complex pre-conditions. For any organization running Nimiq nodes, this means an unpatched system is a single malicious connection away from being knocked offline. The fix is included in v1.3.0, so updating is paramount to maintaining network stability and availability.
What This Means For You
- If your organization operates Nimiq network nodes using `network-libp2p`, you are exposed to remote denial-of-service. Immediately verify your `network-libp2p` version. If it's prior to 1.3.0, prioritize upgrading to version 1.3.0 or newer to mitigate CVE-2026-34063. No workarounds exist, so patch or face potential node outages.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Nimiq network-libp2p Crash Vulnerability (CVE-2026-34063)
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-34063 | DoS | Nimiq network-libp2p prior to version 1.3.0 |
| CVE-2026-34063 | DoS | Vulnerable component: libp2p ConnectionHandler state machine in network-libp2p |
| CVE-2026-34063 | DoS | Attack vector: Remote peer opening discovery protocol substream a second time on the same connection |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 22, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...