Home
News
Details

Bitcoin Core Secretly Patches Critical Memory Bug CVE-2024-52911

iconCrypto Economy
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
BTC
$81,068.300.11%
AI summary iconSummary

expand icon
Bitcoin Core secretly patched a critical memory bug, CVE-2024-52911, months before public disclosure. The flaw, affecting versions 0.14.0 through 28.x, allowed a malicious miner to remotely crash nodes using invalid blocks. Around 43% of active nodes are still running pre-29.0 versions and remain at risk. The spot bitcoin ETF approval has drawn attention, but this vulnerability highlights the need for timely upgrades.

TL;DR:

  • Bitcoin Core silently patched CVE-2024-52911, its first memory security bug, before publicly disclosing it this week.
  • The flaw affected all versions from 0.14.0 through 28.x and allowed a miner to remotely crash nodes with invalid blocks.
  • Around 43% of active nodes would still be running software prior to version 29.0, leaving them exposed.

Bitcoin Coresecretly patched the first memory security vulnerability in the project’s history, months before publicly disclosing it. The flaw, catalogued as CVE-2024-52911 and classified as high severity, affected all software versions between 0.14.0 and 28.x, and created the possibility that a malicious miner could remotely crash third-party nodes through specially crafted invalid blocks.

The bug corresponds to a *use-after-free* vulnerability in the script validation engine. During block validation, precalculated data stored in cache could be destroyed while a background validation thread was still reading it. Given the underlying mechanism, the exploit not only enabled an abrupt node shutdown, but also left open — though unlikely — the possibility of remote code execution during the resulting abnormal memory state.

Bitcoin core

Bitcoin Core: A Silent Patch that Protected the Network

Cory Fields, a researcher at the MIT Digital Currency Initiative, discovered the vulnerability and privately reported it on November 2, 2024. Four days later, Bitcoin Core developer Pieter Wuille implemented a covert fix, deliberately titled “Improve parallel script validation error debug logging” to avoid alerting potential attackers. The fix was incorporated into the repository in December 2024 and distributed with Bitcoin Core v29.0 in April 2025.

Public disclosure only took place once the 28.x version line reached end of life on April 19, 2026. Developer Niklas Gögge noted that this is the first memory security issue recorded in approximately two years of the project’s public security advisory history, and acknowledged Fields’ responsible disclosure.

bitcoin post

Why Was There No Exploit?

The deterrent element built into the attack vector also deserves attention: any miner attempting to exploit it would have needed to burn real hashpower on invalid blocks with no reward whatsoever — a guaranteed loss that likely explains why the vulnerability remained dormant in practice.

Bitcoin’s consensus rules were not affected at any point, as the bug was confined to the node software’s memory handling. However, based on estimates from Clark Moody’s dashboard, around 43% of active nodes would still be running versions prior to v29.0 and would remain exposed.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.