Bitcoin developers have disclosed details of a high-severity software vulnerability affecting Bitcoin Core.
“People Who Mine Bitcoin Should Update Their Software Immediately”
According to senior Core developers, more than 13% of global nodes — the home and business computers that enforce Bitcoin’s rules — are at risk of being remotely shut down due to this vulnerability.
The vulnerability, dubbed CVE-2024-35202, affects Bitcoin nodes running Core software versions prior to 25.0. Nodes that have not been updated to at least version 25.0 are vulnerable to a vulnerability that could allow attackers to remotely trigger an issue in the software logic that processes block transaction (“blocktxn”) messages.
The flaw is caused by Bitcoin Core’s compact block protocol, which uses shortened transaction identifiers to minimize internet bandwidth usage. An attacker could cause a collision in these identifiers, causing the node to claim the entire block. While claiming a full block is a security measure, software versions prior to 25.0 have an issue with the way they handle subsequent blocktxn messages. This flaw could allow an attacker to manipulate the software’s logic, ultimately forcing the node into an invalid state and causing it to crash.
Niklas Gögge, who identified and disclosed the bug, also developed the fix, which was integrated into Bitcoin Core version 25.0. The patch was merged via pull request 26898 and became part of the production software as of May 26, 2023.
According to data from BitNodes.io, 13.7% of the 18,843 nodes currently operating on the Bitcoin network are vulnerable to the attack. Developers are urging all node operators to update their software to mitigate the risk. The latest version of Bitcoin Core, version 28.0, includes patches for this vulnerability.
While the bug poses a serious risk, developers have noted that it does not provide immediate financial gain to attackers. Exploiting the vulnerability requires sophisticated manipulation of the compact block protocol and does not make it possible to double-spend Bitcoin without additional sophisticated schemes, including social engineering and coordinated financial attacks.
However, this vulnerability could still be exploited by corporate or government entities looking to disrupt BTC operations for strategic reasons. The bug’s discovery is part of a recent pattern where Bitcoin Core developers have uncovered significant issues with older software versions. Since Bitcoin Core doesn’t automatically update by default, node operators must manually download, verify, and update their software to stay safe.
*This is not investment advice.
