PatchSiren cyber security CVE debrief
CVE-2026-44505 nimiq CVE debrief
A vulnerability was discovered in the Nimiq Proof-of-Stake protocol, specifically in the network-libp2p module. The handle_dht_get function in network-libp2p/src/swarm.rs did not properly handle verifier errors when a peer returns a FoundRecord. This can cause the oneshot used by Network::dht_get to hang indefinitely, leading to a denial-of-service (DoS) condition. The vulnerability has been patched in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of the Nimiq Proof-of-Stake protocol, specifically those using versions prior to 1.4.0, should be aware of this vulnerability and take steps to upgrade to the patched version.
Technical summary
The vulnerability is caused by the handle_dht_get function not properly handling verifier errors when a peer returns a FoundRecord. This can cause the oneshot used by Network::dht_get to hang indefinitely. The CVSS score for this vulnerability is 5.3, with a severity of MEDIUM.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade to version 1.4.0 or later of the Nimiq Proof-of-Stake protocol.
- Review and update any affected systems or applications using the Nimiq protocol.
Evidence notes
The vulnerability was discovered and patched by the Nimiq team. The CVE record was published on June 10, 2026.
Official resources
CVE-2026-44505 was published on 2026-06-10T00:16:52.940Z and modified on 2026-06-10T20:58:26.290Z.