Description

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.

INFO

Published Date :

2026-04-22T19:43:04.453Z

Last Modified :

2026-04-23T16:25:19.186Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-34064 vulnerability.

Vendors Products
Nimiq
  • Nimiq-account
  • Nimiq Proof-of-stake
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-34064.

URL Resource
https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/pull/3658 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0 cve-icon cve-icon
https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact