nimiq-blockchain, Remote Crash, CVE-2026-46543 (Moderate)

Listen to this Post

How CVE-2026-46543 Works:

The vulnerability resides in how the Nimiq blockchain node handles a peer-to-peer message of type RequestBatchSet. A remote attacker crafts a `RequestBatchSet` message where the block hash field is set to the hash of the network’s genesis block. When a vulnerable node processes this specially crafted message, it invokes the `get_epoch_chunks` handler. This function attempts to retrieve epoch chunk data by iterating backwards through the blockchain’s macro blocks. The iteration logic relies on the `Policy::macro_block_before` function to move from a given block number to the preceding macro block. The iteration continues until it can no longer find a macro block. However, the loop does not correctly detect when it has reached the genesis block. Once the iteration logic reaches the block number of the genesis block (block number 0), `Policy::macro_block_before` is called again. At this point, the function panics because there is no valid macro block before block number 0, triggering the error message “No macro blocks before genesis block”. This panic is not caught, causing the node’s main execution thread to abort and the entire full node process to crash, leading to a denial of service. The attack is remote and requires no prior authentication or special privileges, as the `RequestBatchSet` message is part of the standard peer-to-peer protocol. Requesting the genesis batch set is not used during normal node operation, making the attack trivial to detect in logs but still devastating as an unauthenticated crash vector.

dailycve form:

Platform: nimiq-blockchain
Version: before 1.5.0
Vulnerability : Remote Crash
Severity: Moderate
date: 2026-05-15

Prediction: Patch 2026-05-21

Analytics

What Undercode Say:

Check currently installed version
nimiq-node --version
Simulate malicious RequestBatchSet (requires netcat)
echo -n 'RequestBatchSet:genesis_hash' | nc -u <target_node_ip> 8443
Monitor for crash pattern in logs
grep -i "macro blocks before genesis" /var/log/nimiq/node.log
Verify patch level after update
git clone https://github.com/nimiq/core-rs-albatross
git checkout v1.5.0
cargo build --release

Exploit:

An unauthenticated remote peer sends a single `RequestBatchSet` message containing the genesis block hash. The vulnerable node’s handler calls `get_epoch_chunks` which loops backward until `Policy::macro_block_before` panics at genesis, crashing the full node.

Protection from this CVE

Upgrade to Nimiq core-rs-albatross version 1.5.0 or later. Block unexpected `RequestBatchSet` messages at firewall level if upgrade is not immediately possible. The vulnerable code path is not used during normal operation, so network monitoring can detect malicious requests.

Impact:

Complete crash of any full node running versions before 1.5.0, leading to denial of service. An attacker can repeatedly crash nodes, disrupting network consensus participation and potentially isolating honest nodes. No data corruption or remote code execution is involved.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top