Security Advisories
Overview
This page summarizes policies in relation to disclosing vulnerabilities in Bitcoin Core, as well as provides a summary of historical Security Advisories.
Policy
When reported, a vulnerability will be assigned a severity category. We differentiate between 4 classes of vulnerabilities:
-
Low: bugs which are hard to exploit or have a low impact. For instance a wallet bug which requires access to the victim’s machine.
-
Medium: bugs with limited impact. For instance a local network remote crash.
-
High: bugs with significant impact. For instance a remote crash, or a local network RCE.
-
Critical: bugs which threaten the whole network’s integrity. For instance an inflation or coin theft bug.
Low severity bugs will be disclosed 2 weeks after a fixed version is released. A pre-announcement will be made at the same time as the release.
Medium and High severity bugs will be disclosed 2 weeks after the last affected release goes EOL. This is a year after a fixed version was first released. A pre-announcement will be made 2 weeks prior to disclosure.
Critical bugs are not considered in the standard policy, as they would most likely require an ad-hoc procedure. Also, a bug may not be considered a vulnerability at all. Any reported issue may also be considered serious, yet not require embargo.
Past Security Advisories
Disclosure of remote crash due to addr message spam
Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
Disclosure of the impact of an infinite loop bug in the miniupnp dependency
Nodes could be crashed by a malicious UPnP device on the local network. A fix was released on September 14th, 2021 in Bitcoin Core v22.0.
Disclosure of crash using malicious BIP72 URI
The BIP70 implementation in Bitcoin-Qt could silently crash when opening a BIP72 URI. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
Disclosure of DoS using huge GETDATA messages
A malformed GETDATA message could trigger 100% CPU usage on the receiving node. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
Disclosure of memory DoS using low-difficulty headers
Nodes could be spammed with low-difficulty headers, which could be used to crash it. A fix was released on September 14th, 2017 in Bitcoin Core 0.15.0.
Disclosure of memory DoS using huge INV messages
Nodes would allocate up to 50 MB of memory per attacker sending a malicious INV message. A fix was released on June 3rd, 2020 in Bitcoin Core 0.20.0.
Disclosure of significant DoS due to orphan handling
A node could be stalled for hours when receiving a specially crafted unconfirmed transaction. A fix was released on May 18th, 2019 in Bitcoin Core 0.18.0.
Disclosure of netsplit due to timestamp adjustment
A node could be split from the network when attacked by its first 200 peers. A fix was released on January 15th, 2021 in Bitcoin Core version 0.21.0.
Disclosure of CVE-2020-14198
Nodes could be subject to CPU and memory DoS when attacked by lots of distinct IPs. A fix was released on August 1st, 2020 in Bitcoin Core 0.20.1.
Disclosure of censorship due to transaction re-request handling
Nodes could be prevented from seeing specific unconfirmed transactions by a malicious peer. A fix was released on January 14th, 2021 in Bitcoin Core 0.21.0.
Disclosure of CVE-2015-3641
Attackers sending large incomplete messages would cause high memory usage. A fix was released on April 27th, 2015 in Bitcoin Core 0.10.1.
Disclosure of remote code execution due to bug in miniupnpc
A bug in the miniupnpc library could have led to a remote code execution in Bitcoin Core. A fix was released on October 15th, 2015 in Bitcoin Core 0.11.1.
Disclosure of CVE-2017-18350
Nodes were potentially vulnerable to a buffer overflow by malicious SOCKS servers. A fix was released on November 6th, 2017 in Bitcoin Core version 0.15.1.
Disclosure of CVE-2018-17144
Bitcoin Core was vulnerable to a DoS and inflation attack. A fix was released on September 18th, 2018 in Bitcoin Core versions 0.16.3 and 0.17.0rc4.