Bitcoin Core Discloses Three Vulnerabilities Affecting Versions Before v25.0

• "Today we are releasing three security advisories for the Bitcoin Core project. These vulnerabilities affect versions of Bitcoin Core before (and not including) 25.0," posted Niklas Gögge to the Bitcoin Dev Mailing list.

"This is part of the gradual adoption by the project of a new vulnerability disclosure policy. The policy is available [here]. We will follow up next month with vulnerabilities affecting Bitcoin Core versions before (and not including) 26.0, if any," added the developer.

Disclosed vulnerabilities include:

• CVE-2024-35202. This is a high severity issue that allows attackers to crash Bitcoin Core nodes remotely by triggering an assertion in the blocktxn message handling logic. The vulnerability was discovered by Niklas Gögge and fixed in Bitcoin Core v25.0.
• Hindered block propagation due to mutated blocks. This is a medium severity issue that allows a peer to clear the block download state of other peers by sending unrequested, mutated blocks. It was fixed in #27608 by ensuring that a peer can only affect its own block download state, not the download states of other peers.
• DoS due to inv-to-send sets growing too large. It's a medium severity issue where excessively large m_tx_inventory_to_send sets could disrupt node communication by slowing inventory message construction.

"Network conditions in early May 2023 triggered this DoS and affected block and transaction propagation," was stated in the disclosure.

• The fix, implemented in #27610, involves removing outdated transactions sooner and adjusting the set drainage rate based on its size.

Bitcoin Core users are encouraged to update their clients to newer versions to avoid these issues, as well as other documented vulnerabilities.

• If you want to learn more about these vulnerabilities, check out a dedicated episode of The Bitccoin Development Podcast by Brink here.

Announcement / Archive
Security Advisories Page