PatchSiren cyber security CVE debrief
CVE-2026-46540 nimiq CVE debrief
CVE-2026-46540 is a MEDIUM severity vulnerability in the Nimiq Proof-of-Stake protocol implementation. The issue arises from the LightBlockchain::rebranch() function not correctly updating certain state variables when adopting a fork chain with a macro block (checkpoint or election) as its tip. Specifically, it fails to update self.macro_head, self.election_head, self.current_validators, and does not store the election header in the chain_store. This discrepancy in behavior compared to the full Blockchain::rebranch() function can lead to subsequent macro blocks being verified against the wrong predecessor and cause chain progression issues. The vulnerability has been patched in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Nimiq's Rust implementation of the Albatross consensus algorithm, specifically those using versions prior to 1.4.0, should be aware of this vulnerability and take steps to update their implementation.
Technical summary
The LightBlockchain::rebranch() function in Nimiq's Rust implementation of the Albatross consensus algorithm fails to correctly update certain state variables when adopting a fork chain with a macro block as its tip. This can lead to subsequent macro blocks being verified against the wrong predecessor and cause chain progression issues.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 1.4.0 or later of Nimiq's Rust implementation of the Albatross consensus algorithm.
- Review and verify the implementation of LightBlockchain::rebranch() to ensure correct behavior.
Evidence notes
The vulnerability was patched in version 1.4.0. References to the patch and advisory can be found at [ref-5](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0), [ref-6](https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-m3pg-qc2q-mg8c), and [ref-4](https://github.com/nimiq/core-rs-albatross/pull/3706).
Official resources
CVE-2026-46540 was published on 2026-06-10T00:16:54.230Z and modified on 2026-06-10T19:37:41.437Z.