Nimiq Primitives Node Panic via Malformed BLS Key

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-252cwe-755
Nimiq Primitives Node Panic via Malformed BLS Key

The National Vulnerability Database has detailed CVE-2026-34065, a high-severity vulnerability (CVSS 7.5) affecting nimiq-primitives prior to version 1.3.0. This library underpins Nimiq’s Rust implementation, providing core elements like blocks and transactions. The flaw allows an untrusted peer-to-peer node to trigger a denial-of-service condition by announcing an election macro block containing an invalid compressed BLS voting key.

The vulnerability stems from how the system processes election macro headers. Specifically, hashing these headers involves validating the validators set, which subsequently calls validator.voting_key.uncompress().unwrap(). An invalid compressed BLS voting key causes this uncompression to panic, effectively crashing the node. This is a critical unauthenticated remote denial-of-service vector, as any untrusted P2P peer can exploit it.

Defenders must prioritize patching. The National Vulnerability Database confirms that the fix is included in version 1.3.0, and no workarounds are available. This means immediate upgrade is the only viable mitigation. The attacker’s calculus here is straightforward: achieve maximum disruption with minimal effort, leveraging a known cryptographic validation failure.

What This Means For You

  • If your organization operates Nimiq Rust nodes, you are exposed to a remote denial-of-service attack. Check your `nimiq-primitives` version immediately. You must upgrade to version 1.3.0 or later to patch CVE-2026-34065. There are no known workarounds, so delaying the patch leaves your nodes vulnerable to unauthenticated crashes.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-34065 - Nimiq Node Panic via Malformed BLS Key

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-34065 DoS nimiq-primitives prior to version 1.3.0
CVE-2026-34065 DoS Panic caused by invalid compressed BLS voting key in election macro block validators set
CVE-2026-34065 DoS Vulnerable function: Validators::voting_keys() calling validator.voting_key.uncompress().unwrap()

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 22, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

Jellystat SQLi to RCE Critical Vulnerability (CVE-2026-41167)

CVE-2026-41167 — Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries...

vulnerabilityCVEcriticalhigh-severitycwe-89
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma

OpenRemote Privilege Escalation: Master Realm at Risk

CVE-2026-41166 — OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.1, a user who has `write:admin` in one Keycloak realm can call the Manager...

vulnerabilityCVEhigh-severityprivilege-escalationcwe-284
/SCW Vulnerability Desk /HIGH /7 /⚑ 3 IOCs /⚙ 2 Sigma

RustFS Flaw: Non-Admin Takeover of Notification Targets

CVE-2026-40937 — RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 3 IOCs /⚙ 3 Sigma