CVE-2026-40092 nimiq CVE debrief

Who should care

Operators and maintainers of Nimiq full nodes, especially deployments running nimiq-blockchain 1.3.0 or earlier and any service that depends on node availability.

Technical summary

The vulnerability is triggered during DHT record verification. A maliciously crafted TaggedSigned<ValidatorRecord, KeyPair> can supply an Ed25519 signature byte slice whose length is not exactly 64 bytes. When TaggedSigned::verify reaches Ed25519Signature::from_bytes(sig).unwrap() in the Ed25519 TaggedPublicKey implementation, ed25519_zebra::Signature::try_from rejects the malformed slice, from_bytes fails, and the unwrap panics. The BLS TaggedPublicKey path handles the error by returning false, so the crash is specific to the Ed25519 implementation.

Defensive priority

High. This is an unauthenticated, network-reachable availability issue with a straightforward crash condition and no user interaction required.

Recommended defensive actions

• Upgrade nimiq-blockchain to version 1.4.0 or later.
• Prioritize patching exposed full nodes and any infrastructure that directly processes untrusted DHT traffic.
• If immediate upgrading is not possible, reduce exposure of vulnerable nodes to untrusted peers where operationally feasible.
• Monitor for unexpected process exits or crash loops on affected nodes until remediation is complete.

Evidence notes

The CVE record and NVD entry identify the issue as a network-triggered availability problem with CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The GitHub advisory, fix commit, pull request, and v1.4.0 release are the supplied references supporting the affected/fixed version range and remediation path.

Official resources