CVE-2026-40092: Nimiq Blockchain Node Crash Vulnerability

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-252
CVE-2026-40092: Nimiq Blockchain Node Crash Vulnerability

The National Vulnerability Database has detailed CVE-2026-40092, affecting Nimiq’s Rust implementation for its blockchain. Specifically, versions 1.3.0 and below of nimiq-blockchain are vulnerable. A high-severity flaw (CVSS 7.5) allows a malicious network peer to crash any Nimiq full node by publishing a specially crafted Kademlia DHT record. The attack vector is straightforward: an attacker sends a TaggedSigned<ValidatorRecord, KeyPair> with a signature field that isn’t exactly 64 bytes long.

The vulnerability lies within the Ed25519 TaggedPublicKey implementation. When the victim node’s DHT verifier processes this malformed record, the Ed25519Signature::from_bytes(sig).unwrap() call panics because ed25519_zebra::Signature::try_from rejects byte slices not precisely 64 bytes. While the BLS TaggedPublicKey implementation correctly handles such errors by returning false, the Ed25519 implementation catastrophically fails. This means an attacker can achieve a denial of service with minimal effort, disrupting network operations.

The fix is available in version 1.4.0 of nimiq-blockchain. This isn’t some theoretical flaw; it’s a direct path to take down a full node. For any blockchain project, node stability is paramount. This type of vulnerability can be exploited for network disruption or to facilitate other attacks by weakening the network’s integrity and availability.

What This Means For You

  • If your organization operates Nimiq full nodes using the Rust implementation, you are exposed to a denial-of-service attack. Immediately verify your `nimiq-blockchain` version. Patch to version 1.4.0 or higher without delay. This is a critical stability issue that an attacker can exploit with a single malformed packet.

Related ATT&CK Techniques

T1595.002 Scanning for Vulnerabilities Reconnaissance T1190 Exploit Public-Facing Application Initial Access T1499 Service Stop Impact

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-40092: Nimiq Node Crash via Malformed Kademlia DHT Record

Sigma YAML — free preview 
title: CVE-2026-40092: Nimiq Node Crash via Malformed Kademlia DHT Record
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
  Detects the execution of the Nimiq node process with command line arguments indicating DHT interaction, which is the vector for CVE-2026-40092. This rule aims to identify potential exploitation attempts where a crafted Kademlia DHT record is published to crash the node.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40092/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'nimiq-node'
      CommandLine|contains:
          - 'dht'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40092 DoS nimiq-blockchain versions 1.3.0 and below
CVE-2026-40092 DoS Crafted Kademlia DHT record with TaggedSigned where signature byte length is not 64
CVE-2026-40092 DoS Vulnerable function: TaggedSigned::verify leading to Ed25519Signature::from_bytes(sig).unwrap() in TaggedPublicKey implementation for Ed25519PublicKey

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 21, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-4811 — Cross-Site Scripting (XSS)

CVE-2026-4811 — The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /4.9 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to

CVE-2026-1881 — The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta...

vulnerabilityCVEmedium-severitycwe-639
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-9149 — Libsolv Buffer Overflow

CVE-2026-9149 — A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative...

vulnerabilityCVEmedium-severitybuffer-overflowcwe-122
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma