PatchSiren cyber security CVE debrief
CVE-2026-40094 nimiq CVE debrief
CVE-2026-40094 is a denial-of-service issue in Nimiq's Rust implementation where network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in the peer contact book. Because a PeerContact can legally contain an empty addresses list and no intrinsic validation enforces a non-empty list, later address-book construction can panic when it reaches an "every peer should have at least one address" expectation. If an attacker has already inserted a signed peer contact with addresses=[], a call to get_address_book can crash the node or RPC task depending on panic behavior. The issue is fixed in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-21
Who should care
Operators of Nimiq nodes on versions 1.3.0 and earlier, especially deployments that accept untrusted discovery traffic or expose RPC/web clients that query the address book. Maintainers of forks or downstream services that reuse the same peer-contact handling should also review their validation and upgrade path.
Technical summary
The supplied advisory describes an input-validation gap in PeerContact processing. Discovery accepts signed updates from untrusted peers and stores them without requiring at least one address. Later, PeerContactBook::known_peers builds an address book by calling addresses.first().expect("every peer should have at least one address"). When an attacker has inserted a signed PeerContact with an empty addresses list, get_address_book can panic. NVD lists the weakness as CWE-754 and assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, indicating a network-reachable availability impact with user interaction required.
Defensive priority
Medium. Patch promptly if you run affected versions, because the bug can crash address-book queries and may take down a node or RPC task. Priority should be highest for exposed deployments that rely on discovery data from untrusted peers.
Recommended defensive actions
- Upgrade to version 1.4.0 or later as soon as possible.
- Confirm no production nodes or RPC/web clients are still running 1.3.0 or earlier.
- Review panic handling and restart behavior so a single malformed peer-contact entry does not leave services unavailable for long.
- If you maintain a fork or adjacent code, add validation that rejects PeerContact entries with an empty addresses list before they are stored or queried.
Evidence notes
The vulnerability description, version range, and fixed version come from the supplied CVE record and GitHub Security Advisory references. The crash path is directly supported by the described code flow: accepted PeerContact updates are stored, and known_peers later dereferences addresses.first().expect(...), which can panic when addresses is empty. NVD also supplies the CVSS vector and CWE-754 classification.
Official resources
Publicly disclosed on 2026-05-20 in the CVE/NVD record, with the issue reported as fixed in version 1.4.0.