{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nimiq-keys--0.2.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nimiq-keys (\u003c= 0.2.0)"],"_cs_severities":["medium"],"_cs_tags":["dos","nimiq","signature-validation"],"_cs_type":"advisory","_cs_vendors":["Nimiq"],"content_html":"\u003cp\u003eA remote denial-of-service vulnerability exists within the Nimiq \u003ccode\u003enimiq-keys\u003c/code\u003e component, specifically affecting versions 0.2.0 and earlier. This flaw, identified as CVE-2026-40092, allows a malicious actor on the Nimiq network to deliberately crash a full node. The attack involves crafting a Kademlia Distributed Hash Table (DHT) record that contains a \u003ccode\u003eTaggedSigned\u0026lt;ValidatorRecord, KeyPair\u0026gt;\u003c/code\u003e structure with a malformed signature. Specifically, the signature field must not be exactly 64 bytes in length. The vulnerability lies in the insufficient validation of the signature length within the \u003ccode\u003eTaggedPublicKey::verify\u003c/code\u003e function, which leads to a panic and node crash. This issue was addressed in version 1.4.0 of the \u003ccode\u003ecore-rs-albatross\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Kademlia DHT record.\u003c/li\u003e\n\u003cli\u003eThe record includes a \u003ccode\u003eTaggedSigned\u0026lt;ValidatorRecord, KeyPair\u0026gt;\u003c/code\u003e structure.\u003c/li\u003e\n\u003cli\u003eThe signature field within this structure is intentionally set to a length other than 64 bytes.\u003c/li\u003e\n\u003cli\u003eThe attacker publishes this crafted DHT record to the Nimiq network.\u003c/li\u003e\n\u003cli\u003eA victim Nimiq full node receives the malicious DHT record.\u003c/li\u003e\n\u003cli\u003eThe victim node\u0026rsquo;s DHT verifier processes the record and calls \u003ccode\u003eTaggedSigned::verify\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eTaggedSigned::verify\u003c/code\u003e, the \u003ccode\u003eEd25519Signature::from_bytes(sig).unwrap()\u003c/code\u003e function is called.\u003c/li\u003e\n\u003cli\u003eBecause the signature \u003ccode\u003esig\u003c/code\u003e is not 64 bytes, \u003ccode\u003eed25519_zebra::Signature::try_from\u003c/code\u003e fails, causing \u003ccode\u003eunwrap()\u003c/code\u003e to panic, crashing the node.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition for the targeted Nimiq full node. An attacker can repeatedly trigger this crash, potentially disrupting the Nimiq network\u0026rsquo;s stability. The number of affected nodes depends on the attacker\u0026rsquo;s ability to distribute the crafted DHT records across the network. This could impact the availability of the Nimiq network, making it unavailable for legitimate users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Nimiq \u003ccode\u003ecore-rs-albatross\u003c/code\u003e version 1.4.0 or later, which includes the patch for CVE-2026-40092 (see \u003ca href=\"https://github.com/nimiq/core-rs-albatross/pull/3708\"\u003ePR\u003c/a\u003e and \u003ca href=\"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0\"\u003ev1.4.0\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement a network monitoring rule to detect unusual DHT record sizes or malformed signature lengths being propagated across the Nimiq network. While no specific rule is provided, monitoring network traffic for anomalies related to DHT records could provide early warning of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T16:32:50Z","date_published":"2026-05-15T16:32:50Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nimiq-keys-dos/","summary":"A malicious network peer can crash a Nimiq full node by publishing a crafted Kademlia DHT record due to unchecked Ed25519 signature length in `TaggedPublicKey::verify` (CVE-2026-40092).","title":"Nimiq nimiq-keys Ed25519 Signature Length Vulnerability (CVE-2026-40092)","url":"https://feed.craftedsignal.io/briefs/2026-05-nimiq-keys-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Nimiq-Keys (\u003c= 0.2.0)","version":"https://jsonfeed.org/version/1.1"}