Vulnerability Details CVE-2026-34065
nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementation. Prior to version 1.3.0, an untrusted p2p peer can cause a node to panic by announcing an election macro block whose `validators` set contains an invalid compressed BLS voting key. Hashing an election macro header hashes `validators` and reaches `Validators::voting_keys()`, which calls `validator.voting_key.uncompress().unwrap()` and panics on invalid bytes. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 12.6%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-34065
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.1.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.10.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.4
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.11.5
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.12.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.12.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.13.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.13.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.14.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.15.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.16.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.16.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.17.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.18.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.19.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.2.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.2.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.2.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.4
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.20.5
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.21.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.21.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.22.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.22.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.22.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.22.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.23.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.24.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.24.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.24.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.24.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.24.4
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.3.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.3.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.3.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.3.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.4.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.4.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.5.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.5.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.5.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.5.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.5.4
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.6.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.7.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.8.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.8.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.8.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.8.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:0.9.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.2
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.3
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.4
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.5
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.6
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.7
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.8
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.0.9
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.1.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.1.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.2.0
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.2.1
-
cpe:2.3:a:nimiq:nimiq_proof-of-stake:1.2.2