MEDIUM 5.3

CVE-2026-44505: Nimiq network-libp2p DHT Query Indefinite Hang Vulnerability

Nimiq's network-libp2p component has a flaw in how it handles responses from peer nodes during Distributed Hash Table (DHT) lookups. When a peer returns a record that fails verification, the code fails to properly clean up internal tracking structures and notify waiting callers. This leaves caller processes hanging indefinitely, unable to complete their operations. The issue affects Nimiq versions prior to 1.4.0 and is resolved in that release.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-755
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-44505 is a resource exhaustion vulnerability in Nimiq's network-libp2p DHT handler. The handle_dht_get function in network-libp2p/src/swarm.rs fails to complete oneshot channels and clean up per-query bookkeeping when record verification fails via dht_verifier.verify(). Additionally, the DHT inconsistent state code path also returns without proper cleanup. Because Network::dht_get awaits the oneshot indefinitely without timeout logic, callers can block permanently. The underlying issue is rooted in incomplete error handling that violates the cleanup contract expected by the async runtime.

Business impact

Availability is the primary concern. An attacker controlling or influencing peers in the DHT can craft responses that trigger verification failures, causing legitimate peers to exhaust connection slots and internal query tracking resources. Over time, this can degrade or halt DHT operations, affecting consensus participation and network communication for Nimiq validator and full nodes. For staking operations or time-sensitive transactions, this denial-of-service condition creates operational risk.

Affected systems

Nimiq implementations using network-libp2p versions prior to 1.4.0 are affected. This includes both validator and full node deployments that rely on DHT queries for peer discovery, record lookup, and consensus operations. The vulnerability is specific to the Rust Nimiq implementation and the Albatross consensus protocol stack.

Exploitability

Exploitation requires the ability to become or influence a peer in the DHT network and respond to get-record queries. The attack vector is network-based with no authentication or privilege requirements. An attacker does not need to compromise a specific node; participation in the DHT as a malicious peer is sufficient. The CVSS 3.1 score of 5.3 (MEDIUM, AV:N/AC:L) reflects low complexity and no preconditions, but impact is limited to availability. Real-world feasibility depends on the attacker's ability to attract or route queries to their controlled peer nodes.

Remediation

Upgrade Nimiq and network-libp2p to version 1.4.0 or later. This release includes proper cleanup of oneshot channels and per-query bookkeeping on all error paths, including verification failures and DHT inconsistent state conditions. Verify the patch has been applied by checking dependency versions in your Cargo.lock or equivalent dependency manifest.

Patch guidance

Update network-libp2p to version 1.4.0 or newer. If Nimiq is distributed as a monolithic package, verify the release notes confirm inclusion of the network-libp2p patch. Test the update in a non-production environment to ensure DHT operations and consensus participation function correctly. Monitor peer connection metrics and DHT query latencies during and after rollout to detect any unexpected behavior.

Detection guidance

Monitor Nimiq logs for repeated 'DHT inconsistent state' messages or verification errors on the same peer addresses, which may indicate malicious peers. Track the number of pending DHT queries and oneshot channels—abnormal accumulation suggests hung queries. Watch for elevated memory usage correlated with DHT activity. Network-level detection is difficult without deep packet inspection; focus on behavioral indicators such as consensus stalls, missing block proposals, or timeouts in validator operations after DHT interactions.

Why prioritize this

Although scored MEDIUM severity, this vulnerability poses meaningful risk to Nimiq's consensus layer because it can disable DHT-dependent discovery and record lookup. Validator nodes that become unable to query the DHT may fall out of sync or fail to participate in consensus rounds. The ease of exploitation (network-based, low complexity, no privileges) and the indefinite hang condition (not a brief timeout) elevate operational priority. Patch deployment should precede any high-stakes consensus events or major network upgrades.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-accessible vulnerability with low attack complexity and no authentication, but limited impact scope. Confidentiality and integrity are unaffected; only availability is compromised. The score does not account for context-specific risks in blockchain or consensus protocols, where availability directly impacts liveness and finality. Organizations running Nimiq validators should treat this as higher priority than the base score alone suggests.

Frequently asked questions

Can this vulnerability allow an attacker to steal funds or manipulate consensus?

No. The vulnerability only causes availability degradation through indefinite hangs in DHT queries. It does not enable unauthorized state changes, transaction manipulation, or fund theft. The impact is denial of service, not confidentiality or integrity breach.

Do I need to patch immediately if I run a non-validator Nimiq full node?

Yes, but priority is slightly lower than for validators. Full nodes also rely on DHT for peer discovery and will experience connectivity issues. However, they do not directly participate in consensus, so the operational impact is less critical than for staking or validator infrastructure.

What does 'DHT inconsistent state' mean in this context?

The DHT bookkeeping tracks active queries and pending responses. When cleanup is skipped on error paths, internal state becomes out of sync with actual network operations. Subsequent queries may fail to find the inconsistency and themselves return without cleanup, compounding the issue.

How long can a caller actually hang?

Without a timeout in Network::dht_get, the caller can hang indefinitely until the process is manually restarted or killed. In production environments, this typically triggers external watchdog timers or readiness checks that mark the node as unhealthy, but the underlying query never completes.

This analysis is provided for informational purposes. The details, affected versions, and patch information are derived from the CVE record and vendor advisories. Organizations must verify patch applicability and test in controlled environments before production deployment. Nimiq operators should consult official Nimiq security documentation and release notes for definitive guidance. This summary does not constitute security advice specific to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).