CVE-2026-34066 MEDIUM

CVE-2026-34066: nimiq-blockchain: Peer-triggerable panic during history sync

Vendor Nimiq

Product nimiq-blockchain

Weakness CWE-20 · Input validation

Published April 22, 2026

Last update April 23, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction Required

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. Prior to version 1.3.0, `HistoryStore::put_historic_txns` uses an `assert!` to enforce invariants about `HistoricTransaction.block_number` (must be within the macro block being pushed and within the same epoch). During history sync, a peer can influence the `history: &[HistoricTransaction]` input passed into `Blockchain::push_history_sync`, and a malformed history list can violate these invariants and trigger a panic. `extend_history_sync` calls `this.history_store.add_to_history(..)` before comparing the computed history root against the macro block header (`block.history_root()`), so the panic can happen before later rejection checks run. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

Key dates

02Disclosure timeline

April 22, 2026 CVE published

April 23, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34066

Related vulnerabilities

CVE-2026-34066: nimiq-blockchain: Peer-triggerable panic during history sync

01Description

02Disclosure timeline

03References

04Related CVE