Security Advisories

Overview

• Policy
• Past Security Advisories

This page summarizes policies in relation to disclosing vulnerabilities in Bitcoin Core, as well as provides a summary of historical Security Advisories.

Policy

When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:

• Low: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim’s machine.

• Medium: bugs with limited impact. For instance a local network remote crash.

• High: bugs with significant impact. For instance a remote crash, or a local network RCE.

• Critical: bugs which threaten the whole network’s integrity. For instance an inflation or coin theft bug.

Low severity bugs will be disclosed 2 weeks after a fixed version exists on the current major release branch. A pre-announcement will be made at the same time as the release.

Medium and High severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.

Critical bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. Any reported issue may also be considered serious, yet not require embargo.

Past Security Advisories

CVE-2024-52922 - Hindered block propagation due to stalling peers

A peer could hinder block propagation by announcing blocks first and then simply withholding the block.

Disclosure of CVE-2024-35202

An attacker could remotely crash a Bitcoin Core node by triggering an assertion in the blocktxn message handling logic.

Disclosure of DoS due to inv-to-send sets growing too large

The inv-to-send sets could grow too large to a point where the time spent sorting the sets would affect the node’s ability to communicate with its peers.

CVE-2024-52921 - Hindered block propagation due to mutated blocks

A peer could hinder block propagation by sending mutated blocks.

CVE-2019-25220 - Memory DoS due to headers spam

An attacker could spam a Bitcoin Core node with low-difficulty headers chains, which could be used to remotely crash it.

CVE-2024-52919 - Remote crash due to addr message spam

Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.

CVE-2024-52917 - Infinite loop bug in the miniupnp dependency

Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.

CVE-2024-52918 - Crash using malicious BIP72 URI

The BIP70 implementation in Bitcoin-Qt could silently crash when opening a BIP72 URI. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.

CVE-2024-52920 - DoS using huge GETDATA messages

A malformed GETDATA message could trigger 100% CPU usage on the receiving node. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.

CVE-2024-52916 - Memory DoS using low-difficulty headers

Nodes could be spammed with low-difficulty headers, which could be used to crash it. A fix was released on September 14th, 2017 in Bitcoin Core 0.15.0.

CVE-2024-52915 - Memory DoS using huge INV messages

Nodes would allocate up to 50 MB of memory per attacker sending a malicious INV message. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.

CVE-2024-52914 - Significant DoS due to orphan handling

A node could be stalled for hours when receiving a specially crafted unconfirmed transaction. A fix was released on May 18th, 2019 in Bitcoin Core 0.18.0.

CVE-2024-52912 - Netsplit due to timestamp adjustment

A node could be split from the network when attacked by its first 200 peers. A fix was released on January 15th, 2021 in Bitcoin Core version 0.21.0.

Disclosure of CVE-2020-14198

Nodes could be subject to CPU and memory DoS when attacked by lots of distinct IPs. A fix was released on August 1st, 2020 in Bitcoin Core 0.20.1.

CVE-2024-52913 - Censorship due to transaction re-request handling

Nodes could be prevented from seeing specific unconfirmed transactions by a malicious peer. A fix was released on January 14th, 2021 in Bitcoin Core 0.21.0.

Disclosure of CVE-2015-3641

Attackers sending large incomplete messages would cause high memory usage. A fix was released on April 27th, 2015 in Bitcoin Core 0.10.1.

CVE-2015-20111 - Remote code execution due to bug in miniupnpc

A bug in the miniupnpc library could have led to a remote code execution in Bitcoin Core. A fix was released on October 15th, 2015 in Bitcoin Core 0.11.1.

Disclosure of CVE-2017-18350

Nodes were potentially vulnerable to a buffer overflow by malicious SOCKS servers. A fix was released on November 6th, 2017 in Bitcoin Core version 0.15.1.

Disclosure of CVE-2018-17144

Bitcoin Core was vulnerable to a DoS and inflation attack. A fix was released on September 18th, 2018 in Bitcoin Core versions 0.16.3 and 0.17.0rc4.