PatchSiren cyber security CVE debrief
CVE-2026-46542 nimiq CVE debrief
CVE-2026-46542 is a MEDIUM severity vulnerability in the Nimiq Proof-of-Stake protocol implementation. The issue exists in the Ed25519 multisig delinearization code path, specifically in the `Ed25519PublicKey::delinearize()` function. This function calls `.unwrap()` on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point on the Ed25519 curve. The vulnerability allows for denial-of-service attacks, as invalid keys can reach the delinearization path and crash the hosting process. The issue has been patched in version 1.4.0.
- Vendor
- nimiq
- Product
- core-rs-albatross
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Nimiq's Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm, particularly those using versions prior to 1.4.0.
Technical summary
The vulnerability is caused by the `Ed25519PublicKey::delinearize()` function calling `.unwrap()` on curve point decompression without validating if the provided bytes represent a valid point on the Ed25519 curve. This can lead to a panic and crash the hosting process when an invalid key is provided.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 1.4.0 or later to apply the patch.
- Validate the curve membership of public keys before passing them to the delinearization function.
Evidence notes
The vulnerability was patched in version 1.4.0. References to the patch and advisory can be found at [ref-5](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0), [ref-6](https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-h9cc-w26m-j342), and [ref-4](https://github.com/nimiq/core-rs-albatross/pull/3713).
Official resources
CVE-2026-46542 was published on 2026-06-10T00:16:54.500Z and modified on 2026-06-10T19:37:41.437Z.