4.3
CVE-2026-46542
- EPSS 0.23%
- Veröffentlicht 09.06.2026 23:46:21
- Zuletzt bearbeitet 10.06.2026 19:37:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, a denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize() in keys/src/multisig/mod.rs called .unwrap() on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. Ed25519PublicKey construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the hosting process. This issue has been patched in version 1.4.0.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellernimiq
≫
Produkt
core-rs-albatross
Version
< 1.4.0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.137 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
|
CWE-617 Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-h9cc-w26m-j342
https://github.com/nimiq/core-rs-albatross/pull/3713