Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for nimiq-account by nimiq

    CVE-2026-34064 (GCVE-0-2026-34064)

    Vulnerability from nvd – Published: 2026-04-22 19:43 – Updated: 2026-04-23 16:25
    VLAI
    Title
    nimiq-account: Vesting insufficient funds error can panic
    Summary
    nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-191 - Integer Underflow (Wrap or Wraparound)
    Assigner
    Impacted products
    Vendor Product Version
    nimiq nimiq-account Affected: < 1.3.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34064",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T13:06:41.242710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T16:25:19.186Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nimiq-account",
              "vendor": "nimiq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nimiq-account contains account primitives to be used in Nimiq\u0027s Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance \u003c min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap \u003e balance`, the node crashes while trying to return an error. The `min_cap \u003e balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount \u003c= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-22T19:43:04.453Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/pull/3658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/pull/3658"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-vc34-39q2-m6q3",
            "discovery": "UNKNOWN"
          },
          "title": "nimiq-account: Vesting insufficient funds error can panic"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34064",
        "datePublished": "2026-04-22T19:43:04.453Z",
        "dateReserved": "2026-03-25T16:21:40.867Z",
        "dateUpdated": "2026-04-23T16:25:19.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34064 (GCVE-0-2026-34064)

    Vulnerability from cvelistv5 – Published: 2026-04-22 19:43 – Updated: 2026-04-23 16:25
    VLAI
    Title
    nimiq-account: Vesting insufficient funds error can panic
    Summary
    nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-191 - Integer Underflow (Wrap or Wraparound)
    Assigner
    Impacted products
    Vendor Product Version
    nimiq nimiq-account Affected: < 1.3.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34064",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-23T13:06:41.242710Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-23T16:25:19.186Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "nimiq-account",
              "vendor": "nimiq",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.3.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "nimiq-account contains account primitives to be used in Nimiq\u0027s Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance \u003c min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap \u003e balance`, the node crashes while trying to return an error. The `min_cap \u003e balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount \u003c= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-191",
                  "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-22T19:43:04.453Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/pull/3658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/pull/3658"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0"
            },
            {
              "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-vc34-39q2-m6q3",
            "discovery": "UNKNOWN"
          },
          "title": "nimiq-account: Vesting insufficient funds error can panic"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34064",
        "datePublished": "2026-04-22T19:43:04.453Z",
        "dateReserved": "2026-03-25T16:21:40.867Z",
        "dateUpdated": "2026-04-23T16:25:19.186Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }