Nimiq-Keys (<= 0.2.0) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/nimiq-keys--0.2.0/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 16:32:50 +0000Nimiq nimiq-keys Ed25519 Signature Length Vulnerability (CVE-2026-40092)https://feed.craftedsignal.io/briefs/2026-05-nimiq-keys-dos/Fri, 15 May 2026 16:32:50 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-nimiq-keys-dos/A malicious network peer can crash a Nimiq full node by publishing a crafted Kademlia DHT record due to unchecked Ed25519 signature length in `TaggedPublicKey::verify` (CVE-2026-40092).A remote denial-of-service vulnerability exists within the Nimiq nimiq-keys component, specifically affecting versions 0.2.0 and earlier. This flaw, identified as CVE-2026-40092, allows a malicious actor on the Nimiq network to deliberately crash a full node. The attack involves crafting a Kademlia Distributed Hash Table (DHT) record that contains a TaggedSigned<ValidatorRecord, KeyPair> structure with a malformed signature. Specifically, the signature field must not be exactly 64 bytes in length. The vulnerability lies in the insufficient validation of the signature length within the TaggedPublicKey::verify function, which leads to a panic and node crash. This issue was addressed in version 1.4.0 of the core-rs-albatross library.

Attack Chain

  1. Attacker crafts a malicious Kademlia DHT record.
  2. The record includes a TaggedSigned<ValidatorRecord, KeyPair> structure.
  3. The signature field within this structure is intentionally set to a length other than 64 bytes.
  4. The attacker publishes this crafted DHT record to the Nimiq network.
  5. A victim Nimiq full node receives the malicious DHT record.
  6. The victim node’s DHT verifier processes the record and calls TaggedSigned::verify.
  7. Inside TaggedSigned::verify, the Ed25519Signature::from_bytes(sig).unwrap() function is called.
  8. Because the signature sig is not 64 bytes, ed25519_zebra::Signature::try_from fails, causing unwrap() to panic, crashing the node.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition for the targeted Nimiq full node. An attacker can repeatedly trigger this crash, potentially disrupting the Nimiq network’s stability. The number of affected nodes depends on the attacker’s ability to distribute the crafted DHT records across the network. This could impact the availability of the Nimiq network, making it unavailable for legitimate users.

Recommendation

  • Upgrade to Nimiq core-rs-albatross version 1.4.0 or later, which includes the patch for CVE-2026-40092 (see PR and v1.4.0).
  • Implement a network monitoring rule to detect unusual DHT record sizes or malformed signature lengths being propagated across the Nimiq network. While no specific rule is provided, monitoring network traffic for anomalies related to DHT records could provide early warning of exploitation attempts.
]]>mediumadvisorydosnimiqsignature-validation