Bitcoin developers have revealed details of a serious software vulnerability. According to a senior Core developer, more than 13% of home and business computers worldwide that execute Bitcoin rules are vulnerable to remote shutdown.
The vulnerability, named CVE-2024-35202, affects Bitcoin nodes running Core software versions prior to 25.0. Nodes that have not been updated to at least 25.0 allow attackers to remotely exploit assertions in the software logic that processes block transaction ('blocktxn') messages. It is worth mentioning that the vulnerability has little financial benefit to ordinary attackers.
Specifically, the vulnerability stems from Core's compact block protocol, which uses shortened transaction identifiers to reduce the use of Internet bandwidth. An attacker can trigger a conflict in these identifiers, causing the node to request a full block.
Although requesting full, unabridged blocks is a security precaution, software versions prior to 25.0 have a flaw in the logic that handles subsequent blocktxn messages. In short, it is possible to manipulate logic gates to force a node into an invalid state, causing it to crash completely.
The vulnerability was discovered and disclosed by Niklas Gögge, who also provided a patch deployed in Bitcoin Core v25.0. He fixed the vulnerability in Bitcoin Core pull request number 26898, and other developers merged it into production before May 26, 2023.
BitNodes.io information shows that 13.7% of the 18,843 nodes running the Bitcoin network are vulnerable to attacks. Developers urge all node operators to update their software to fix this vulnerability. The latest version of Bitcoin Core software is 28.0. (Protos)