GHSA-vghx-352f-93jm
nimiq-blockchain: Genesis batch set request
Details
### Impact A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_before` panics with "No macro blocks before genesis block".
### Patches [The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/pull/3745) is formally released as part of [v1.5.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0).
### Workarounds No Workaround, although requesting the genesis batch set is not used during normal operation.
### Resources See [PR](https://github.com/nimiq/core-rs-albatross/pull/3745).
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.5.0 Upgrade nimiq-blockchain to 1.5.0 or newer (ecosystem crates.io).
References
- https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vghx-352f-93jm [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-46543 [ADVISORY]
- https://github.com/nimiq/core-rs-albatross/pull/3745 [WEB]
- https://github.com/nimiq/core-rs-albatross/commit/8e8b0abdb1b66f5e9b25b3833879f05c173a5596 [WEB]
- https://github.com/nimiq/core-rs-albatross [PACKAGE]
- https://github.com/nimiq/core-rs-albatross/releases/tag/v1.5.0 [WEB]