CVE-2026-34064: nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` ret...

Description

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

Metrics

CVSS 3.1

8.2/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS Probability

0.27%

19.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-191

Affected Software

Vendor	Product	Versions
Nimiq	Nimiq Proof-Of-Stake	< 1.3.0

References

https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0Patch
https://github.com/nimiq/core-rs-albatross/pull/3658Issue Tracking, Patch
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0Release Notes
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3Patch, Vendor Advisory

Timeline

Published: Apr 22, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-34064?

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

How severe is CVE-2026-34064?

CVE-2026-34064 has a CVSS score of 8.2/10 (HIGH severity). The EPSS model estimates a 0.27% probability of exploitation in the next 30 days.

How do I fix CVE-2026-34064?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.