nimiq/core-rs-albatross, Denial-of-Service (DoS) via Malformed P2P Request (Moderate)

Listen to this Post

How CVE works (technical details)

The vulnerability exists in the `RequestMacroChain` message handler of the Nimiq Albatross consensus implementation. An unauthenticated peer can send a `RequestMacroChain` message with a specially crafted block locator list. The handler validates locators by checking if a hash belongs to the node’s main chain, but it does not verify whether the located block is a macro block or a micro block. If the first matching hash on the main chain corresponds to a micro block, the code proceeds to call `get_macro_blocks()` on that block. Since a micro block does not contain macro block data, the method returns a BlockchainError::BlockIsNotMacro, which is then unwrapped with .unwrap(). This `unwrap()` call causes a panic in the async task, crashing the node’s consensus thread. The attack requires no authentication, can be executed by any P2P peer, and leads to a full denial-of-service (DoS) of the target node. The panic is deterministic and does not rely on race conditions. The issue was introduced because the `RequestMacroChain` handler implicitly assumed that any block locator on the main chain would always point to a macro block, which is false for nodes that have processed micro blocks. The handler lacks a type check before the unsafe unwrap. The fix adds a validation step that explicitly rejects locators that resolve to micro blocks, preventing the panic.

dailycve form:

Platform: Nimiq core-rs-albatross
Version: prior to 1.3.0
Vulnerability: P2P DoS panic
Severity: Moderate
Date: 2026-04-11

Prediction: 2026-04-13

What Undercode Say:

Simulate malformed RequestMacroChain locator using netcat
echo -ne '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | nc -u target 8444
// Vulnerable code pattern in RequestMacroChain::handle
let locator = self.locators.iter()
.find(|hash| blockchain.is_on_main_chain(hash))
.unwrap();
let macro_blocks = blockchain.get_macro_blocks(locator).unwrap(); // panic if locator is micro block

Exploit:

Send a `RequestMacroChain` P2P message where the first block locator that exists on the target’s main chain is a micro block hash (e.g., any block with an even height in the current epoch). The handler will select this hash, call `get_macro_blocks()` on it, and crash with BlockIsNotMacro.

Protection from this CVE:

Upgrade to Nimiq core-rs-albatross version 1.3.0 or later. If patching is not possible, deploy network-layer filtering to drop `RequestMacroChain` messages from untrusted peers, though this breaks macro sync functionality.

Impact:

An unauthenticated attacker can crash any vulnerable node by sending a single malformed `RequestMacroChain` message, leading to total loss of service for that node. No prior access or node resources are required. The attack is trivial to execute and can be repeated to prevent recovery.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top