Bitcoin Core developers disclosed a high-severity bug that could allow miners to remotely crash some Bitcoin nodes.
Summary
- Bitcoin Core disclosed CVE-2024-52911, affecting versions before 29.0, with older nodes still exposed online.
- Miners needed costly proof-of-work blocks to trigger crashes, making real-world abuse historically unlikely for attackers.
- Cory Fields privately reported the bug in 2024, before Bitcoin Core 29.0 shipped patched software.
The issue, tracked as CVE-2024-52911, affected Bitcoin Core versions after 0.14.0 and before 29.0. The bug was fixed in Bitcoin Core 29.0, which was released in April 2025.
Bitcoin Core made the issue public on May 5, 2026, after the final vulnerable 28.x release line reached end of life on April 19.
Bug affected block validation
The issue involved Bitcoin Core’s script interpreter during block validation. Bitcoin Core said a specially crafted block could cause a node to access memory after that data had already been freed.
During validation, Bitcoin Core pre-calculates transaction input data and sends script checks to background threads. In some cases, an invalid block could destroy cached data while another thread still tried to read it.
Bitcoin Core said this could allow an attacker with enough proof-of-work to crash victim nodes. It also said “it is possible” the crash could support remote code execution, though limits on block data made that outcome “unlikely.”
Attack required costly mining
The attack was not simple to carry out. A miner would need to produce a specially crafted block with enough proof-of-work to reach the chain tip.
That made the attack costly because such a block would be invalid. It could not earn a normal block reward, leaving the attacker to spend hashpower without collecting the usual mining payout.
Bitcoin Core did not say the bug had been used in real attacks. The advisory focused on the flaw, the fix, and the disclosure timeline.
The bug did not change Bitcoin’s consensus rules. It was tied to memory handling in Bitcoin Core software, not the rules that define valid Bitcoin transactions or blocks.
Cory Fields reported the flaw
Cory Fields of the MIT Digital Currency Initiative privately reported the bug on Nov. 2, 2024. Bitcoin Core said the report included a proof of concept and a proposed way to reduce the risk.
Pieter Wuille pushed a covert fix four days later through PR 31112. The pull request was merged on Dec. 3, 2024, before Bitcoin Core 29.0 shipped with the fix in April 2025.
The advisory followed Bitcoin Core’s disclosure policy for high-severity bugs. Its policy says high-severity issues are disclosed after the last affected release goes end of life.
In addition, node operators using Bitcoin Core versions before 29.0 still face the old bug. Bitcoin Core does not auto-update, so users must install newer versions manually.
A past report on blockchain decentralization risks cited research that 21% of Bitcoin nodes ran outdated Bitcoin Core software in June 2021. That context shows why older client versions can remain a security concern long after fixes ship.
Be the first to comment