A node could be forced to allocate a significant amount of memory upon receiving a specially crafted INV message. This was particularly an issue for nodes with little available memory or a large number of connections.

This issue is considered Medium severity.


An INV message filled with 50,000 block items could cause 50,000 getheaders responses to be sent in a single ProcessMessages() call. Each response contains a locator and is around 1 kB. All would be put into the send buffer at once. The attacker could just refuse to receive data to prevent the 50 MB buffer from draining.

John Newbery opened PR #18962 to fix this issue pretexting a bandwidth gain from sending a single GETHEADERS per received INV.


Credits to John Newbery for finding this bug, responsibly disclosing it and fixing it.


  • 2020-05-08 John Newbery reports his finding by email
  • 2020-05-12 John Newbery opens #18962
  • 2020-05-14 #18962 is merged
  • 2020-06-03 Bitcoin Core version 0.20.0 is released with a fix
  • 2021-09-13 The last vulnerable Bitcoin Core version (0.19.x) goes EOL
  • 2024-07-03 Public disclosure.