Publish Advisories

GHSA-h9cc-w26m-j342
GHSA-vghx-352f-93jm

Author: advisory-database[bot]

advisories/github-reviewed/2026/05/GHSA-h9cc-w26m-j342/GHSA-h9cc-w26m-j342.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h9cc-w26m-j342",
+  "modified": "2026-05-21T19:45:08Z",
+  "published": "2026-05-21T19:45:08Z",
+  "aliases": [
+    "CVE-2026-46542"
+  ],
+  "summary": "nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points",
+  "details": "### Impact\n\nA denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. `Ed25519PublicKey::delinearize()` in `keys/src/multisig/mod.rs` called `.unwrap()` on curve point decompression, which panics when a public key is\nconstructed from 32 bytes that do not represent a valid point on the Ed25519 curve. `Ed25519PublicKey` construction only validates byte length, not curve membership, so invalid keys can reach the delinearization path and crash the\nhosting process.\n\nA secondary panic existed in `Commitment::From<[u8; 32]>`, which similarly called `.unwrap()` on a failing curve point decompression.\n\n**Who is affected:** Browser and desktop wallet users of the web-client WASM library and the `nimiq-wallet` crate, when initiating a multisig operation with an attacker-supplied public key. An attacker must convince the user to include\na crafted public key in a multisig setup — this is not a remotely triggerable node/validator crash.\n\n**Who is NOT affected:** Validator nodes, consensus, blockchain, mempool, and networking code. There is no on-chain multisig account type; multisig is a purely client-side construct, and no validator/consensus code calls the multisig  delinearization path.\n\n### Patches\n\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3713).\n\n### Workarounds\n\nNo code-level workaround exists short of the patch. Users of wallet applications can mitigate exposure by only performing multisig operations with public keys received from trusted sources.\n\n### Resources\n- Affected code: `keys/src/multisig/mod.rs`, `keys/src/multisig/commitment.rs`",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "nimiq-keys"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-h9cc-w26m-j342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/pull/3713"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/commit/3bc449a8138960c4de6bfd506bad1730c621d4de"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nimiq/core-rs-albatross"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-21T19:45:08Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/05/GHSA-vghx-352f-93jm/GHSA-vghx-352f-93jm.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-vghx-352f-93jm",
+  "modified": "2026-05-21T19:46:15Z",
+  "published": "2026-05-21T19:46:15Z",
+  "aliases": [
+    "CVE-2026-46543"
+  ],
+  "summary": "nimiq-blockchain: Genesis batch set request",
+  "details": "### Impact\nA remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_before` panics with \"No macro blocks before genesis block\".\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3745) is formally released as part of [v1.5.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0).\n\n### Workarounds\nNo Workaround, although requesting the genesis batch set is not used during normal operation.\n\n### Resources\nSee [PR](https://github.com/nimiq/core-rs-albatross/pull/3745).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "nimiq-blockchain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/pull/3745"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nimiq/core-rs-albatross"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-21T19:46:15Z",
+    "nvd_published_at": null
+  }
+}