Bitcoin: >> Bitcoin Core >> 0.21.0 Security Vulnerabilities
Bitcoin Core through 27.2 allows transaction-relay jamming via an off-chain protocol attack, a related issue to CVE-2024-52913. For example, the outcome of an HTLC (Hashed Timelock Contract) can be changed because a flood of transaction traffic prevents propagation of certain Lightning channel transactions.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-12-09
In Bitcoin Core before 25.0, a peer can affect the download state of other peers by sending a mutated block.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-11-18
In Bitcoin Core before 25.1, an attacker can cause a node to not download the latest block, because there can be minutes of delay when an announcing peer stalls instead of complying with the peer-to-peer protocol specification.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-11-18
Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a flood of low-difficulty header chains (aka a "Chain Width Expansion" attack) because a node does not first verify that a presented chain has enough work before committing to store it.
CVSS Score
7.5
EPSS Score
0.004
Published
2024-11-18
Bitcoin Core before 22.0 has a miniupnp infinite loop in which it allocates memory on the basis of random data received over the network, e.g., large M-SEARCH replies from a fake UPnP device.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-11-18
Bitcoin Core before 22.0 has a CAddrMan nIdCount integer overflow and resultant assertion failure (and daemon exit) via a flood of addr messages.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-11-18
Bitcoin Core before 25.0 allows remote attackers to cause a denial of service (blocktxn message-handling assertion and node exit) by including transactions in a blocktxn message that are not committed to in a block's merkle root. FillBlock can be called twice for one PartiallyDownloadedBlock instance.
CVSS Score
7.5
EPSS Score
0.008
Published
2024-10-10
In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."
CVSS Score
5.3
EPSS Score
0.0
Published
2023-12-09
Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (e.g., CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.
CVSS Score
7.5
EPSS Score
0.003
Published
2023-05-22
bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call. NOTE: this reportedly does not violate the security model of Bitcoin Core, but can violate the security model of a fork that has implemented dumpwallet restrictions
CVSS Score
7.5
EPSS Score
0.003
Published
2021-01-26
Page 1