{"api_version":"1","generated_at":"2026-04-23T05:24:34+00:00","cve":"CVE-2026-34064","urls":{"html":"https://cve.report/CVE-2026-34064","api":"https://cve.report/api/cve/CVE-2026-34064.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34064","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34064"},"summary":{"title":"nimiq-account: Vesting insufficient funds error can panic","description":"nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-22 20:16:40","updated_at":"2026-04-22 21:23:52"},"problem_types":["CWE-191","CWE-191 CWE-191: Integer Underflow (Wrap or Wraparound)"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3","name":"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","name":"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/nimiq/core-rs-albatross/pull/3658","name":"https://github.com/nimiq/core-rs-albatross/pull/3658","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0","name":"https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34064","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34064","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"nimiq","product":"nimiq-account","version":"affected < 1.3.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"nimiq-account","vendor":"nimiq","versions":[{"status":"affected","version":"< 1.3.0"}]}],"descriptions":[{"lang":"en","value":"nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-191","description":"CWE-191: Integer Underflow (Wrap or Wraparound)","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T19:43:04.453Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3","tags":["x_refsource_CONFIRM"],"url":"https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3"},{"name":"https://github.com/nimiq/core-rs-albatross/pull/3658","tags":["x_refsource_MISC"],"url":"https://github.com/nimiq/core-rs-albatross/pull/3658"},{"name":"https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0","tags":["x_refsource_MISC"],"url":"https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0"},{"name":"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","tags":["x_refsource_MISC"],"url":"https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"}],"source":{"advisory":"GHSA-vc34-39q2-m6q3","discovery":"UNKNOWN"},"title":"nimiq-account: Vesting insufficient funds error can panic"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34064","datePublished":"2026-04-22T19:43:04.453Z","dateReserved":"2026-03-25T16:21:40.867Z","dateUpdated":"2026-04-22T19:43:04.453Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 20:16:40","lastModifiedDate":"2026-04-22 21:23:52","problem_types":["CWE-191","CWE-191 CWE-191: Integer Underflow (Wrap or Wraparound)"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34064","Ordinal":"1","Title":"nimiq-account: Vesting insufficient funds error can panic","CVE":"CVE-2026-34064","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34064","Ordinal":"1","NoteData":"nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, `VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance < min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap > balance`, the node crashes while trying to return an error. The `min_cap > balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount <= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing. The patch for this vulnerability is included as part of v1.3.0. No known workarounds are available.","Type":"Description","Title":"nimiq-account: Vesting insufficient funds error can panic"}]}}}