CVE-2025-46598
Denial of Service in Bitcoin Core via Crafted Transaction
Publication date: 2026-03-20
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitcoin | bitcoin_core | to 0.30.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-405 | The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric." |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2025-46598 is a low-severity resource exhaustion vulnerability in Bitcoin Core related to the processing of unconfirmed transactions.
An attacker can send specially crafted non-standard unconfirmed transactions that take several seconds each to validate on a victim node.
Although these transactions are ultimately rejected, they do not cause disconnection, allowing repeated exploitation to cause CPU denial-of-service (DoS) and delay block propagation.
The issue was addressed through multiple mitigations aimed at reducing the worst-case validation time in various Script contexts, specifically targeting quadratic signature hashing inefficiencies in both legacy Script and Tapscript contexts.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial-of-service (DoS) condition on Bitcoin Core nodes.
An attacker can exploit the vulnerability by sending crafted transactions that consume excessive CPU resources during validation, leading to resource exhaustion.
This results in delayed block propagation and degraded node performance, potentially affecting the reliability and responsiveness of the Bitcoin network node you operate or rely on.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves specially crafted non-standard unconfirmed transactions that cause CPU resource exhaustion during validation. Detection would involve monitoring for unusually high CPU usage related to transaction validation on Bitcoin Core nodes.
Specific commands or tools to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was mitigated by multiple patches that reduce the worst-case validation time of transactions, specifically addressing quadratic signature hashing inefficiencies in legacy Script and Tapscript contexts.
The recommended immediate step is to upgrade Bitcoin Core to version 30.0 or later, which includes all the merged mitigations for this vulnerability.