PatchSiren cyber security CVE debrief
CVE-2026-46541 nimiq CVE debrief
A vulnerability in the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with 'DHT inconsistent state' errors. This issue has been patched in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm, specifically those using versions prior to 1.4.0.
Technical summary
The vulnerability exists in the handle_dht_get() function where the DhtResults accumulator is not initialized if the first DHT record fails verification. This causes all subsequent valid records to be discarded.
Defensive priority
HIGH
Recommended defensive actions
- Update to version 1.4.0 or later to patch the vulnerability.
- Review and verify the implementation of the handle_dht_get() function to ensure proper initialization of DhtResults accumulator.
Evidence notes
The vulnerability has been patched in version 1.4.0. References: [ref-5](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0), [ref-4](https://github.com/nimiq/core-rs-albatross/pull/3707), [ref-6](https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-ccqv-2c9q-mqw5).
Official resources
CVE-2026-46541 was published on [cvePublishedAt].