PatchSiren cyber security CVE debrief
CVE-2026-46543 Nimiq CVE debrief
CVE-2026-46543 is a vulnerability in Nimiq's Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get_epoch_chunks which iterates backwards through macro blocks using Policy::macro_block_before. When it reaches the genesis block number, macro_block_before panics with 'No macro blocks before genesis block'. This issue has been patched in version 1.5.0.
- Vendor
- Nimiq
- Product
- core‑rs‑albatross (Rust implementation of the Nimiq Proof‑of‑Stake protocol)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of Nimiq's Rust implementation of the Nimiq Proof-of-Stake protocol, specifically those running versions prior to 1.5.0, should be aware of this vulnerability and take steps to update to the patched version.
Technical summary
The vulnerability is caused by the improper handling of a RequestBatchSet message containing the genesis block's hash. This can be exploited by a remote peer to crash any full node. The issue arises from the get_epoch_chunks function iterating backwards through macro blocks using Policy::macro_block_before, which panics when it reaches the genesis block number.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 1.5.0 or later
- Review and monitor network traffic for suspicious RequestBatchSet messages
Evidence notes
CVE-2026-46543 has a CVSS score of 5.3 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-10T00:16:54.630Z and modified on 2026-06-10T19:37:41.437Z.
Official resources
CVE-2026-46543 was published on 2026-06-10T00:16:54.630Z and modified on 2026-06-10T19:37:41.437Z.