HIGH🇵🇱 Wersja polska

CVE-2026-40093

CVSS 8.1v3.1pub. 2026-04-09upd. 2026-04-24

nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation. In 1.3.0 and earlier, block timestamp validation enforces that timestamp >= parent.timestamp for non-skip blocks and timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block timestamps arbitrarily far in the future. This directly affects reward calculations via Policy::supply_at() and batch_delay() in blockchain/src/reward.rs, inflating the monetary supply beyond the intended emission schedule.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
  • Nimiq Proof Of Stake

    APP
    Nimiq
    < 1.3.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-33471CRITICAL9.6PL ✓ten sam produkt

Nimiq Proof-Of-Stake: obejście weryfikacji kworum w SkipBlockProof

CVE-2026-34065HIGH7.5ten sam produkt

nimiq-primitives contains primitives (e.g., block, account, transaction) to be used in Nimiq's Rust implementa...

CVE-2026-34063HIGH7.5ten sam produkt

Nimiq's network-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, `network-lib...

CVE-2026-32605HIGH7.5ten sam produkt

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross c...

CVE-2026-33184HIGH7.5ten sam produkt

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross c...