CVE-2025-46598
Received Received - Intake
Denial of Service in Bitcoin Core via Crafted Transaction

Publication date: 2026-03-20

Last updated on: 2026-04-02

Assigner: MITRE

Description
Bitcoin Core through 29.0 allows a denial of service via a crafted transaction.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-46598
EUVD
EUVD-2025-208889
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bitcoin bitcoin_core to 0.30.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-46598 is a low-severity resource exhaustion vulnerability in Bitcoin Core related to the processing of unconfirmed transactions.

An attacker can send specially crafted non-standard unconfirmed transactions that take several seconds each to validate on a victim node.

Although these transactions are ultimately rejected, they do not cause disconnection, allowing repeated exploitation to cause CPU denial-of-service (DoS) and delay block propagation.

The issue was addressed through multiple mitigations aimed at reducing the worst-case validation time in various Script contexts, specifically targeting quadratic signature hashing inefficiencies in both legacy Script and Tapscript contexts.

Compliance Impact

I don't know

Impact Analysis

This vulnerability can impact you by causing a denial-of-service (DoS) condition on Bitcoin Core nodes.

An attacker can exploit the vulnerability by sending crafted transactions that consume excessive CPU resources during validation, leading to resource exhaustion.

This results in delayed block propagation and degraded node performance, potentially affecting the reliability and responsiveness of the Bitcoin network node you operate or rely on.

Detection Guidance

This vulnerability involves specially crafted non-standard unconfirmed transactions that cause CPU resource exhaustion during validation. Detection would involve monitoring for unusually high CPU usage related to transaction validation on Bitcoin Core nodes.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The vulnerability was mitigated by multiple patches that reduce the worst-case validation time of transactions, specifically addressing quadratic signature hashing inefficiencies in legacy Script and Tapscript contexts.

The recommended immediate step is to upgrade Bitcoin Core to version 30.0 or later, which includes all the merged mitigations for this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-46598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart