CVE-2024-52911
Bitcoin Core Denial of Service Vulnerability
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bitcoin_core | bitcoin_core | From 0.14 (inc) to 28.x (inc) |
| bitcoin | core | From 0.14 (inc) to 29.0 (exc) |
| bitcoin | core | to 28.0 (inc) |
| bitcoin | core | 29 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific information provided about detection methods or commands to identify this vulnerability on a network or system.
Can you explain this vulnerability to me?
CVE-2024-52911 is a high-severity vulnerability in Bitcoin Core versions after 0.14.0 and before 29.0. It involves a use-after-free bug in the script interpreter where validating a specially crafted block could cause a node to access memory that had already been freed.
This happens because precomputed transaction data, which is cached during validation, can be destroyed while still being accessed by a background validation thread if the block is invalid.
An attacker could exploit this by mining a block with sufficient proof-of-work to crash victim nodes.
While remote code execution is theoretically possible, the constraints on input data make it unlikely.
The vulnerability was discovered by Cory Fields and fixed in Bitcoin Core 29.0 by removing early returns in the validation process to prevent premature destruction of the precomputed data.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to remotely crash Bitcoin Core nodes by sending a specially crafted block.
A successful exploit would cause denial of service by making the node access freed memory, potentially disrupting node operations.
Although remote code execution is theoretically possible, it is considered unlikely due to input constraints.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Bitcoin Core to version 29.0 or later, as the fix was implemented in that release.
The vulnerability affects versions after 0.14.0 and before 29.0, with the last vulnerable version 28.x reaching end-of-life in April 2026.
The fix involved removing early returns in the validation process to prevent premature destruction of precomputed transaction data.