Developers disclose vulnerability in Bitcoin Core v25.0, urge node operators to update software to fix it

Odaily News Bitcoin developers have revealed details of a serious software vulnerability. According to a senior Core developer, more than 13% of home and business computers worldwide that execute Bitcoin rules are vulnerable to remote shutdown. The vulnerability, named CVE-2024-35202, affects Bitcoin nodes running Core software versions before 25.0. Nodes that have not been updated to at least 25.0 allow attackers to remotely exploit assertions in the software logic that processes block transaction ('blocktxn') messages. It is worth mentioning that the vulnerability has little financial benefit for ordinary attackers. Specifically, the vulnerability stems from Core's compact block protocol, which uses shortened transaction identifiers to reduce the use of Internet bandwidth. An attacker can trigger a conflict in these identifiers, causing the node to request a complete block. Although requesting a complete, unabridged block is a security precaution, software versions before 25.0 have flaws in the logic for processing subsequent blocktxn messages. In short, a node can be forced into an invalid state by manipulating logic gates, causing the node to crash completely. The vulnerability was discovered and disclosed by Niklas Gögge, who also provided a patch deployed in Bitcoin Core v25.0. He fixed the vulnerability in pull request number 26898 in Bitcoin Core, and other developers merged it into production before May 26, 2023. BitNodes.io information shows that 13.7% of the 18,843 nodes running the Bitcoin network are vulnerable to attacks. Developers urge all node operators to update their software to fix this vulnerability. The latest version of Bitcoin Core software is 28.0. (Protos)