CVE-2026-46541
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk12th percentile - higher than 12% of all known CVEs
Summary
In versions prior to 1.4.0 of Nimiq, in the handle_dht_get() function, the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with 'DHT inconsistent state' errors.
Risk Assessment
Organizations may be at risk of losing important DHT data, which can lead to issues with the integrity and availability of information in the system. Malicious nodes may exploit this vulnerability to disrupt network operations.
Recommendation
It is recommended to upgrade to version 1.4.0 or later to patch this vulnerability and ensure the proper functioning of the DhtResults accumulator.
Original NVD description (English source)
Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.4.0, iIn handle_dht_get(), the DhtResults accumulator is only initialized when the first DHT record passes verification. If the first record fails (from a malicious DHT node), DhtResults is never created, and all subsequent valid records are discarded with "DHT inconsistent state" errors. This issue has been patched in version 1.4.0.

