Security Advisories
Overview
This page summarizes policies in relation to disclosing vulnerabilities in Bitcoin Core, as well as provides a summary of historical Security Advisories.
Policy
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
-
Low: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim’s machine.
-
Medium: bugs with limited impact. For instance a local network remote crash.
-
High: bugs with significant impact. For instance a remote crash, or a local network RCE.
-
Critical: bugs which threaten the whole network’s integrity. For instance an inflation or coin theft bug.
Low severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
Medium and High severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
Critical bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. Any reported issue may also be considered serious, yet not require embargo.
Past Security Advisories
Disclosure of crash due to malicious BIP72 URI (≤ version 0.19.2)
The BIP70 implementation in Bitcoin Core could silently crash when opening a BIP72 URI.
Disclosure of CPU DoS due to malicious P2P message (≤ version 0.19.2)
A malformed GETDATA message could trigger an infinite loop on the receiving node, using 100% of the CPU allocated to this thread.
Disclosure of memory DoS using low-difficulty headers (≤ version 0.14.3)
After Bitcoin Core 0.12.0 and before Bitcoin Core 0.15.0 a node could be spammed with minimum difficulty headers, which could possibly be leveraged to crash it by OOM.
Disclosure of memory DoS due to malicious P2P message (≤ version 0.19.2)
Public disclosure of a DoS vulnerability affecting old versions of Bitcoin Core
Disclosure of CPU DoS / stalling due to malicious P2P message (≤ version 0.17.2)
A node could be stalled for hours when processing the orphans of a specially crafted unconfirmed transaction.
Disclosure of netsplit due to malicious P2P messages by first 200 peers (≤ version 0.20.1)
Disclosure of the details of an integer overflow bug which risked causing a network split.
Disclosure of CPU/memory DoS due to many malicious peers (≤ version 0.20.0)
Bitcoin Core maintained an unlimited list of banned IP addresses and performed a quadratic operation on it. This could lead to an OOM crash and a CPU Dos.
Disclosure of censoring unconfirmed transactions to a specific victim (≤ version 0.20.2)
Public disclosure of a transaction relay censorship vulnerability affecting old versions of Bitcoin Core.
Disclosure of memory DoS due to malicious P2P message from many peers (≤ version 0.10.0)
A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM.
Disclosure of potential remote code execution due to bug in miniupnpc (≤ version 0.11.1)
Public disclosure of a buffer overflow in miniupnpc which could have led to a remote code execution in Bitcoin Core.
CVE-2017-18350 Disclosure
Disclosure of the details of CVE-2017-18350, a fix for which was released on November 6th, 2017 in Bitcoin Core version 0.15.1.
CVE-2018-17144 Full Disclosure
A full disclosure of the impact of CVE-2018-17144, a fix for which was released on September 18th in Bitcoin Core versions 0.16.3 and 0.17.0RC4.