CVE-2026-46543
MEDIUM5.3nimiq-blockchain: Genesis batch set request
Description
### Impact A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_before` panics with "No macro blocks before genesis block". ### Patches [The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3745) is formally released as part of [v1.5.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0). ### Workarounds No Workaround, although requesting the genesis batch set is not used during normal operation. ### Resources See [PR](https://github.com/nimiq/core-rs-albatross/pull/3745).
Affected packages (1)
- crates.io/nimiq-blockchainfrom 0, < 1.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References (5)
- PATCHhttps://github.com/nimiq/core-rs-albatross
- WEBhttps://github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596
- WEBhttps://github.com/nimiq/core-rs-albatross/pull/3745
- WEBhttps://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0
- WEBhttps://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm