How is CVE-2026-46545 exploited?

Network reachability (required): The vulnerable code path is exposed over the network; an attacker must be able to reach the target node's state-sync service to send a malicious trie chunk. Authentication (not-required): No credentials or account are needed; any unauthenticated state-sync peer can trigger the panic. Victim interaction (not-required): No user action is required; the crash occurs purely from receiving a crafted network message during state synchronization. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

What is the impact of CVE-2026-46545?

The affected node process crashes, terminating its participation in the Nimiq Proof-of-Stake network immediately. Freshly joining nodes and nodes in the middle of recovery are selectively targeted, preventing them from completing synchronization and rejoining the network. Repeated triggering of the crash keeps targeted nodes permanently offline as long as they attempt to re-sync, creating a sustained availability outage for those instances.

Back to search

HIGHCVE-2026-46545Published 2026-06-09Modified 2026-06-10CNA GitHub_M

CVE-2026-46545: nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.5.0, a remote, unauthenticated denial-of-service vulnerability in MerkleRadixTrie::put_chunk allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes). This issue has been patched in version 1.5.0.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Panic-based denial-of-service vulnerability in the nimiq/core-rs-albatross Rust library, specifically in the MerkleRadixTrie put_chunk function. The flaw is reachable over the network without any authentication, allowing any state-sync peer to trigger it remotely. Successful exploitation crashes any node currently performing state synchronization, including freshly joining nodes and nodes in recovery, disrupting participation in the Nimiq Proof-of-Stake network. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle nimiq/core-rs-albatross. Images containing affected versions of the library are flagged in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this issue at CVSS 7.5 HIGH using the published v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routed to the appropriate inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release ships. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable code path is exposed over the network; an attacker must be able to reach the target node's state-sync service to send a malicious trie chunk.
AuthenticationNot required
No credentials or account are needed; any unauthenticated state-sync peer can trigger the panic.
Victim interactionNot required
No user action is required; the crash occurs purely from receiving a crafted network message during state synchronization.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout.

Blast Radius

The affected node process crashes, terminating its participation in the Nimiq Proof-of-Stake network immediately.
Freshly joining nodes and nodes in the middle of recovery are selectively targeted, preventing them from completing synchronization and rejoining the network.
Repeated triggering of the crash keeps targeted nodes permanently offline as long as they attempt to re-sync, creating a sustained availability outage for those instances.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously with no fix version currently published upstream. HarborGuard re-evaluates the advisory on every ingest cycle; when nimiq/core-rs-albatross version 1.5.0 or a later patched release is confirmed, a rebuilt image becomes available immediately, and customers with auto-remediation enabled will receive a regression-tested rebuild plus a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation that restricts which peers can initiate state-sync connections to your nodes, egress and ingress filtering at the container or pod boundary to limit exposure of the state-sync port, and deferring state-sync operations on sensitive nodes until a patch is available where operational constraints allow.

See how HarborGuard automates this

Affected packages

nimiq / core-rs-albatross
< 1.5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Metrics

Get notified