HIGH 7.5

CVE-2026-46541: Nimiq DHT Poisoning Denial-of-Service Vulnerability

Nimiq, a Rust-based blockchain network implementation, contains a flaw in its distributed hash table (DHT) lookup mechanism that allows an attacker to poison the DHT retrieval process. When the first DHT record received fails verification (which an attacker can engineer), the system never initializes its result accumulator. This causes all subsequent legitimate records to be rejected as inconsistent, effectively blocking the node from retrieving valid network data. An unauthenticated attacker on the network can trigger this condition, degrading node functionality without requiring special privileges or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-754
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the handle_dht_get() function prior to version 1.4.0. The DhtResults accumulator initialization is gated behind successful verification of the first DHT record received. If a malicious peer sends a record that fails cryptographic verification, the accumulator remains uninitialized. Subsequent valid records from honest peers are then rejected because the code path expects an initialized accumulator; the absence triggers "DHT inconsistent state" error handling that discards the data. This is a logic flaw in initialization sequencing (CWE-754: Improper Resource Validation) that prevents normal DHT synchronization and state recovery. The vulnerability is network-exploitable with no authentication barrier.

Business impact

For organizations or validators running Nimiq nodes, this flaw can cause network partitioning and data synchronization failure. Validators may be unable to retrieve critical state information from the DHT, potentially leading to chain sync delays, missed block proposals, or inability to participate in consensus. Staking rewards and network participation are at risk. For exchanges, custodians, or infrastructure operators, degraded DHT performance translates to reduced availability and operational complexity during incident response.

Affected systems

Nimiq implementations prior to version 1.4.0 are affected. This includes any Nimiq node, validator, or client software running pre-1.4.0 releases. The vulnerability is specific to the Albatross consensus implementation and does not affect other blockchain systems. Affected parties should verify their running version via standard Nimiq tooling (e.g., --version flag or RPC queries).

Exploitability

Exploitation is straightforward: an attacker positioned on the network can send a single invalid DHT record to a target node. No cryptographic breaking is required—the attacker simply crafts a record that fails the protocol's verification checks. Once accepted and rejected, the node's DHT mechanism is poisoned for the remainder of the session, blocking all subsequent valid lookups. This can be executed repeatedly against multiple nodes with minimal cost. The attack requires network access but no authentication, making it a viable denial-of-service vector in adversarial network environments.

Remediation

Upgrade all Nimiq instances to version 1.4.0 or later. The patch relocates accumulator initialization to occur before the first record is processed, ensuring that valid records can be processed even if early records fail verification. After upgrading, restart affected nodes to activate the patched code path. No state migration or additional configuration changes are required. Verify successful upgrade by confirming the version string and observing normal DHT synchronization logs.

Patch guidance

Deploy Nimiq version 1.4.0 as the minimum patched release. Review your organization's dependency management, build, and deployment pipelines to ensure timely distribution of the patched binary. Test the upgrade in a non-critical environment first to confirm compatibility with your monitoring and infrastructure. Plan for coordinated rollout if you operate multiple validator nodes, as a phased approach can minimize disruption. Confirm that the patched version is obtained from official Nimiq repositories to avoid supply-chain risks.

Detection guidance

Monitor Nimiq node logs for repeated "DHT inconsistent state" error messages, which indicate potential poisoning attempts. Check DHT sync metrics and state retrieval success rates; a sudden drop suggests active exploitation. Implement network telemetry to identify sources of invalid DHT records. Watch for patterns of nodes reporting sync failures after specific peers join the network neighborhood. Pre-patch, you can harden exposure by restricting DHT peer connections to trusted nodes, though this reduces network redundancy. Post-patch verification can compare DHT state consistency across multiple nodes to confirm recovery.

Why prioritize this

This vulnerability merits HIGH priority remediation due to its network-level impact and ease of exploitation. Attackers do not need to compromise a node directly; they only need network presence. The condition is repeatable and affects core consensus functionality. For validators, the impact directly threatens revenue and reputation. Organizations operating Nimiq infrastructure should treat this as urgent, though the absence of active KEV exploitation tracking suggests real-world attacks are not yet documented at scale.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects a high-impact availability attack (A:H) over the network (AV:N) with low attack complexity (AC:L) and no privilege or user interaction requirements. The integrity and confidentiality scores are unaffected because the attack does not exfiltrate or corrupt data—it only blocks access. The scope is unchanged (S:U) because the attack is contained to the target node's DHT function. This score appropriately captures a denial-of-service threat that can be triggered at will by any network participant.

Frequently asked questions

Can an attacker actually forge a DHT record that fails verification?

Yes. DHT records must be signed or meet specific validation criteria (e.g., proof-of-work, hash constraints). An attacker can construct invalid records that violate these checks without needing to forge valid signatures. The vulnerability is triggered by any record that fails verification, not by a specific weakness in the cryptography.

Does upgrading to 1.4.0 require resyncing the blockchain?

No. The patch addresses only the DHT lookup mechanism, not chain state. Existing blockchain data remains valid. After upgrade, the node will resume normal DHT operations and sync any missed state in the background. A full blockchain resync is not necessary.

If I restrict my DHT peer list, am I protected until I can patch?

Partially. Restricting DHT peers to a whitelist of trusted nodes reduces the attack surface, but does not eliminate risk if any whitelisted peer is compromised or malicious. This is a temporary hardening measure, not a substitute for patching. You trade network redundancy for reduced exposure.

How long has this been exploited in the wild?

There is no evidence of active exploitation in the wild prior to disclosure. The vulnerability was patched in version 1.4.0 and is not listed on CISA's Known Exploited Vulnerabilities catalog. However, the low barrier to exploitation means this should be treated as a latent risk requiring swift remediation.

This analysis is based on the published CVE record and vendor advisory as of the modification date. Nimiq version 1.4.0 is cited as the patched release; verify against official vendor documentation before deployment. No exploit code or proof-of-concept steps are provided. This vulnerability is not currently tracked on CISA's KEV list; organizations should perform independent risk assessment based on their Nimiq deployment scope and risk tolerance. SEC.co does not endorse any specific vendor or mitigation product. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).