How is CVE-2026-46541 exploited?

Network reachability (required): The attacker must reach the target node over the network by acting as a participating DHT peer that responds to queries. Authentication (not-required): No credentials or account are needed; any DHT peer can send a malformed record in response to a query. Victim interaction (not-required): No user action is required; the vulnerable code path is triggered automatically when the node processes DHT query responses. Attack complexity (info): Exploit is reliable and condition-free as long as the attacker can position a malicious DHT node to respond before legitimate peers, which is feasible in open peer-to-peer networks.

What is the impact of CVE-2026-46541?

The targeted node's DHT result accumulator is never initialized, causing all valid DHT records from honest peers to be discarded for the duration of the query. Peer discovery and DHT-based data retrieval fail with 'DHT inconsistent state' errors, isolating the node from correct network state. Repeated poisoning of queries degrades the node's ability to participate in the Nimiq Proof-of-Stake consensus process, disrupting block propagation and validation.

Back to search

HIGHCVE-2026-46541Published 2026-06-09Modified 2026-06-10CNA GitHub_M

CVE-2026-46541: Nimiq network-libp2p: DHT query poisoning via first-record verification failure

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the DHT (Distributed Hash Table) query handling logic of Nimiq's core-rs-albatross Rust library, which implements the Nimiq Proof-of-Stake protocol. The flaw is reachable over the network without any authentication: a malicious DHT peer that responds first with a tampered record prevents the result accumulator from being initialized, causing all subsequent valid records to be silently dropped. Successful exploitation disrupts DHT-based peer discovery and data retrieval, effectively denying service to the affected node. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle nimiq/core-rs-albatross. Any image found running a version below 1.4.0 is flagged immediately.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the team inbox configured for the affected workload within each customer organization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project releases a remediated version. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target node over the network by acting as a participating DHT peer that responds to queries.
AuthenticationNot required
No credentials or account are needed; any DHT peer can send a malformed record in response to a query.
Victim interactionNot required
No user action is required; the vulnerable code path is triggered automatically when the node processes DHT query responses.
Attack complexityDetail
Exploit is reliable and condition-free as long as the attacker can position a malicious DHT node to respond before legitimate peers, which is feasible in open peer-to-peer networks.

Blast Radius

The targeted node's DHT result accumulator is never initialized, causing all valid DHT records from honest peers to be discarded for the duration of the query.
Peer discovery and DHT-based data retrieval fail with 'DHT inconsistent state' errors, isolating the node from correct network state.
Repeated poisoning of queries degrades the node's ability to participate in the Nimiq Proof-of-Stake consensus process, disrupting block propagation and validation.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory is active across all customer environments, with image scans matched against every ingest cycle. Because no upstream fix exists yet, HarborGuard will automatically trigger a patched-image rebuild and, for customers who opt into auto-remediation, open a PR against affected workloads the moment version 1.4.0 or a later remediated release is published upstream. In the interim, compensating controls worth considering include network-policy isolation that restricts which peers can respond to DHT queries (reducing the attacker's ability to front-run legitimate peers), egress filtering to limit DHT participation to known-good peer sets, and feature-flag gating of DHT-dependent functionality where the application design permits it.

See how HarborGuard automates this

Affected packages

nimiq / core-rs-albatross
< 1.4.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified