A malformed GETDATA message could trigger an infinite loop on the receiving node, using 100% of the CPU allocated to this thread and not making further progress on this connection.

This issue is considered Low severity.


Before Bitcoin Core 0.20.0, an attacker (or buggy client, even) could send us a GETDATA message that would cause our net_processing thread to start spinning at 100%, and not make progress processing messages for the attacker peer anymore. It would still make progress processing messages from other peers, so it is just a CPU DoS with low impact beyond that (not making progress for attacker peers is a non-issue). It also increases per-peer long-term memory usage up by 1.5 MB per attacker peer.

John Newbery opened PR #18808 to fix this issue by only disclosing the lack of progress.


Credits to John Newbery for finding this bug, responsibly disclosing it and fixing it.


  • 2020-04-29 John Newbery opens #18808
  • 2020-05-08 John Newbery reports his finding by email
  • 2020-05-12 #18808 is merged
  • 2020-06-03 Bitcoin Core version 0.20.0 is released with a fix
  • 2021-09-13 The last vulnerable Bitcoin Core version (0.19.x) goes EOL
  • 2024-07-03 Public disclosure.