Listen to this Post
How CVE works (technical details)
The vulnerability exists in the `RequestMacroChain` message handler of the Nimiq Albatross consensus implementation. An unauthenticated peer can send a `RequestMacroChain` message with a specially crafted block locator list. The handler validates locators by checking if a hash belongs to the node’s main chain, but it does not verify whether the located block is a macro block or a micro block. If the first matching hash on the main chain corresponds to a micro block, the code proceeds to call `get_macro_blocks()` on that block. Since a micro block does not contain macro block data, the method returns a BlockchainError::BlockIsNotMacro, which is then unwrapped with .unwrap(). This `unwrap()` call causes a panic in the async task, crashing the node’s consensus thread. The attack requires no authentication, can be executed by any P2P peer, and leads to a full denial-of-service (DoS) of the target node. The panic is deterministic and does not rely on race conditions. The issue was introduced because the `RequestMacroChain` handler implicitly assumed that any block locator on the main chain would always point to a macro block, which is false for nodes that have processed micro blocks. The handler lacks a type check before the unsafe unwrap. The fix adds a validation step that explicitly rejects locators that resolve to micro blocks, preventing the panic.
dailycve form:
Platform: Nimiq core-rs-albatross
Version: prior to 1.3.0
Vulnerability: P2P DoS panic
Severity: Moderate
Date: 2026-04-11
Prediction: 2026-04-13
What Undercode Say:
Simulate malformed RequestMacroChain locator using netcat echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc -u target 8444
// Vulnerable code pattern in RequestMacroChain::handle let locator = self.locators.iter() .find(|hash| blockchain.is_on_main_chain(hash)) .unwrap(); let macro_blocks = blockchain.get_macro_blocks(locator).unwrap(); // panic if locator is micro block
Exploit:
Send a `RequestMacroChain` P2P message where the first block locator that exists on the target’s main chain is a micro block hash (e.g., any block with an even height in the current epoch). The handler will select this hash, call `get_macro_blocks()` on it, and crash with BlockIsNotMacro.
Protection from this CVE:
Upgrade to Nimiq core-rs-albatross version 1.3.0 or later. If patching is not possible, deploy network-layer filtering to drop `RequestMacroChain` messages from untrusted peers, though this breaks macro sync functionality.
Impact:
An unauthenticated attacker can crash any vulnerable node by sending a single malformed `RequestMacroChain` message, leading to total loss of service for that node. No prior access or node resources are required. The attack is trivial to execute and can be repeated to prevent recovery.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

