Security Advisories
Overview
This page summarizes policies in relation to disclosing vulnerabilities in Bitcoin Core, as well as provides a summary of historical Security Advisories.
Policy
All vulnerabilities should be reported to security@bitcoincore.org (see SECURITY.md for details). When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
Critical
Bugs that threaten the fundamental security and integrity of the entire Bitcoin network. These are bugs that allow for coin theft at the protocol level, the creation of coins outside of the specified issuance schedule, or permanent, network-wide chain splits.
Examples:
- A bug allowing inflating the money supply by spending the same transaction output twice within a block (CVE-2018-17144).
- A consensus failure where nodes running older software rejected a block that newer software accepted due to an underlying database limit, causing a network-wide chain split (BIP 50).
High
Bugs with a significant impact on affected nodes or the network. These are typically exploitable remotely under default configurations and can cause widespread disruption.
Examples:
- A remotely triggerable crash that could take many nodes offline (CVE-2024-35202).
- A denial-of-service attack that causes a node to stall for an extended period, preventing it from processing new transactions and blocks (CVE-2024-52914).
- A memory exhaustion vulnerability that could be triggered remotely to crash nodes by having them store an excessive amount of block headers (CVE-2019-25220).
Medium
Bugs that can noticeably degrade the network’s or a node’s performance or functionality, but are limited in their scope or exploitability. These might require special conditions to trigger, such as non-default settings, or result in service degradation rather than a complete node failure.
Examples:
- A potential Remote Code Execution (RCE) vulnerability on the local network that is only exploitable if a non-default feature like UPnP is enabled (CVE-2015-20111).
- A peer could hinder block propagation by sending mutated blocks, delaying the reception of new blocks for a node (CVE-2024-52921).
- An attacker announcing a block to a node and then failing to provide it, causing the victim node to wait for up to 10 minutes before being able to fetch it from another peer (CVE-2024-52922).
Low
Bugs that are challenging to exploit or have a minor impact on a node’s operation. They might only be triggerable under non-default configurations or from the local network, and do not pose an immediate or widespread threat.
Examples:
- A malformed
getdatamessage could cause a peer connection to enter an infinite loop, consuming CPU but not affecting the node’s ability to process blocks or handle other peer connections (CVE-2024-52920). - A bug in a dependency that could crash a node, but only if a non-default feature like UPnP is enabled (CVE-2024-52917).
- A bug that could crash a node, but is extremely difficult to exploit (CVE-2024-52919).
Low severity bugs will be disclosed 2 weeks after a fixed version exists on the current major release branch. A pre-announcement will be made at the same time as the release.
Medium and High severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
Critical bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. Any reported issue may also be considered serious, yet not require embargo.
Past Security Advisories
CVE-2024-52919 - Remote crash due to addr message spam (part 2)
An attacker could crash a node by spamming it with addr messages for a very long time. A fix was released on April 14th 2025 in Bitcoin Core v29.0.
CVE-2024-52922 - Hindered block propagation due to stalling peers
A peer could hinder block propagation by announcing blocks first and then simply withholding the block.
Disclosure of CVE-2024-35202
An attacker could remotely crash a Bitcoin Core node by triggering an assertion in the blocktxn message handling logic.
Disclosure of DoS due to inv-to-send sets growing too large
The inv-to-send sets could grow too large to a point where the time spent sorting the sets would affect the node’s ability to communicate with its peers.
CVE-2024-52921 - Hindered block propagation due to mutated blocks
A peer could hinder block propagation by sending mutated blocks.
CVE-2019-25220 - Memory DoS due to headers spam
An attacker could spam a Bitcoin Core node with low-difficulty headers chains, which could be used to remotely crash it.
CVE-2024-52919 - Remote crash due to addr message spam
Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
CVE-2024-52917 - Infinite loop bug in the miniupnp dependency
Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
CVE-2024-52918 - Crash using malicious BIP72 URI
The BIP70 implementation in Bitcoin-Qt could silently crash when opening a BIP72 URI. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52920 - DoS using huge GETDATA messages
A malformed GETDATA message could trigger 100% CPU usage on the receiving node. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52916 - Memory DoS using low-difficulty headers
Nodes could be spammed with low-difficulty headers, which could be used to crash it. A fix was released on September 14th, 2017 in Bitcoin Core 0.15.0.
CVE-2024-52915 - Memory DoS using huge INV messages
Nodes would allocate up to 50 MB of memory per attacker sending a malicious INV message. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
CVE-2024-52914 - Significant DoS due to orphan handling
A node could be stalled for hours when receiving a specially crafted unconfirmed transaction. A fix was released on May 18th, 2019 in Bitcoin Core 0.18.0.
CVE-2024-52912 - Netsplit due to timestamp adjustment
A node could be split from the network when attacked by its first 200 peers. A fix was released on January 15th, 2021 in Bitcoin Core version 0.21.0.
Disclosure of CVE-2020-14198
Nodes could be subject to CPU and memory DoS when attacked by lots of distinct IPs. A fix was released on August 1st, 2020 in Bitcoin Core 0.20.1.
CVE-2024-52913 - Censorship due to transaction re-request handling
Nodes could be prevented from seeing specific unconfirmed transactions by a malicious peer. A fix was released on January 14th, 2021 in Bitcoin Core 0.21.0.
Disclosure of CVE-2015-3641
Attackers sending large incomplete messages would cause high memory usage. A fix was released on April 27th, 2015 in Bitcoin Core 0.10.1.
CVE-2015-20111 - Remote code execution due to bug in miniupnpc
A bug in the miniupnpc library could have led to a remote code execution in Bitcoin Core. A fix was released on October 15th, 2015 in Bitcoin Core 0.11.1.
Disclosure of CVE-2017-18350
Nodes were potentially vulnerable to a buffer overflow by malicious SOCKS servers. A fix was released on November 6th, 2017 in Bitcoin Core version 0.15.1.
Disclosure of CVE-2018-17144
Bitcoin Core was vulnerable to a DoS and inflation attack. A fix was released on September 18th, 2018 in Bitcoin Core versions 0.16.3 and 0.17.0rc4.