CVE-2026-44505

5.3 MEDIUM

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-755

Description

Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. network-libp2p handles kad get-record query progress in handle_dht_get (network-libp2p/src/swarm.rs). Prior to version 1.4.0, when a peer returns a FoundRecord, the code verifies the record via dht_verifier.verify(&record.record). On verifier error, handle_dht_get logs and returns early without completing the oneshot used by Network::dht_get, and without cleaning up per-query bookkeeping. Later query progress can hit the "DHT inconsistent state" path and also return without cleanup. Because Network::dht_get awaits the oneshot without a timeout, the caller future can hang indefinitely. This issue has been patched in version 1.4.0.

Source: NVD

References

Related CVEs

Same CWE

CVE-2023-43686 — An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later) (6.2 MEDIUM)
CVE-2026-49235 — When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes
CVE-2026-49232 — Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of ...
CVE-2026-9516 — Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws (7.5 HIGH)
CVE-2026-48524 — PyJWT is a JSON Web Token implementation in Python (3.7 LOW)