CVE-2026-34061 (GCVE-0-2026-34061)

Vulnerability from cvelistv5 – Published: 2026-04-03 22:07 – Updated: 2026-04-06 15:42
VLAI?
Title
nimiq/core-rs-albatross: Macro block proposal interlink bug
Summary
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks. The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This issue has been patched in version 1.3.0.
Severity ?
4.9 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
Vendor Product Version
nimiq core-rs-albatross Affected: < 1.3.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34061",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-06T15:37:16.058073Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-06T15:42:21.027Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "core-rs-albatross",
          "vendor": "nimiq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks. The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This issue has been patched in version 1.3.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-03T22:07:40.969Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5"
        },
        {
          "name": "https://github.com/nimiq/core-rs-albatross/pull/3668",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nimiq/core-rs-albatross/pull/3668"
        },
        {
          "name": "https://github.com/nimiq/core-rs-albatross/commit/9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nimiq/core-rs-albatross/commit/9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7"
        },
        {
          "name": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gr83-j5f8-p2r5",
        "discovery": "UNKNOWN"
      },
      "title": "nimiq/core-rs-albatross: Macro block proposal interlink bug"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-34061",
    "datePublished": "2026-04-03T22:07:40.969Z",
    "dateReserved": "2026-03-25T16:21:40.866Z",
    "dateUpdated": "2026-04-06T15:42:21.027Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-34061",
      "date": "2026-04-24",
      "epss": "0.00023",
      "percentile": "0.06409"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-34061\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-03T23:17:03.940\",\"lastModified\":\"2026-04-13T17:41:37.357\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks. The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This issue has been patched in version 1.3.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":4.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-345\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nimiq:core-rs-albatross:*:*:*:*:*:rust:*:*\",\"versionEndIncluding\":\"1.2.2\",\"matchCriteriaId\":\"EF6264E4-E79C-4ED1-B821-F022691EB969\"}]}]}],\"references\":[{\"url\":\"https://github.com/nimiq/core-rs-albatross/commit/9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nimiq/core-rs-albatross/pull/3668\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34061\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-06T15:37:16.058073Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-06T15:37:20.339Z\"}}], \"cna\": {\"title\": \"nimiq/core-rs-albatross: Macro block proposal interlink bug\", \"source\": {\"advisory\": \"GHSA-gr83-j5f8-p2r5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"nimiq\", \"product\": \"core-rs-albatross\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.3.0\"}]}], \"references\": [{\"url\": \"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5\", \"name\": \"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-gr83-j5f8-p2r5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nimiq/core-rs-albatross/pull/3668\", \"name\": \"https://github.com/nimiq/core-rs-albatross/pull/3668\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nimiq/core-rs-albatross/commit/9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7\", \"name\": \"https://github.com/nimiq/core-rs-albatross/commit/9d7d17c9163384e79f61cdbbfe9853ae57bb8bf7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0\", \"name\": \"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest validators accept that proposal in verify_macro_block_proposal() because the proposal path validates header shape, successor relation, proposer, body root, and state, but never checks the interlink binding for election blocks. The same finalized block is later rejected by verify_block() during push with InvalidInterlink. Because validators prevote and precommit the malformed header hash itself, the failure happens after Tendermint decides the block, not before voting. This issue has been patched in version 1.3.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-345\", \"description\": \"CWE-345: Insufficient Verification of Data Authenticity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-03T22:07:40.969Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-34061\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-06T15:42:21.027Z\", \"dateReserved\": \"2026-03-25T16:21:40.866Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-03T22:07:40.969Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.