@@ -19,75 +19,85 @@ All vulnerabilities should be reported to security@bitcoincore.org (see
1919[ SECURITY.md] ( https://github.com/bitcoin/bitcoin/blob/master/SECURITY.md ) for
2020details). When reported, a vulnerability will be assigned a severity category.
2121We differentiate between 4 classes of vulnerabilities:
22-
23- ### Critical
24-
25- Bugs that threaten the fundamental security and integrity of the entire Bitcoin
26- network. These are bugs that allow for coin theft at the protocol level, the
27- creation of coins outside of the specified issuance schedule, or permanent,
28- network-wide chain splits.
29-
30- Examples:
31- * A bug allowing inflating the money supply by spending the same transaction
32- output twice within a block ([ CVE-2018 -17144] ( /en/2018/09/20/notice/ ) ).
33- * A consensus failure where nodes running older software rejected a block that
34- newer software accepted due to an underlying database limit, causing a
35- network-wide chain split ([ BIP
36- 50] ( https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki ) ).
37-
38- ### High
39-
40- Bugs with a significant impact on affected nodes or the network. These are
41- typically exploitable remotely under default configurations and can cause
42- widespread disruption.
43-
44- Examples:
45- * A remotely triggerable crash that could take many nodes offline
46- ([ CVE-2024 -35202] ( /en/2024/10/08/disclose-blocktxn-crash/ ) ).
47- * A denial-of-service attack that causes a node to stall for an extended
48- period, preventing it from processing new transactions and blocks
49- ([ CVE-2024 -52914] ( /en/2024/07/03/disclose-orphan-dos/ ) ).
50- * A memory exhaustion vulnerability that could be triggered remotely to crash
51- nodes by having them store an excessive amount of block headers
52- ([ CVE-2019 -25220] ( /en/2024/09/18/disclose-headers-oom/ ) ).
53-
54- ### Medium
55-
56- Bugs that can noticeably degrade the network's or a node's performance or
57- functionality, but are limited in their scope or exploitability. These might
58- require special conditions to trigger, such as non-default settings, or result
59- in service degradation rather than a complete node failure.
60-
61- Examples:
62- * A potential Remote Code Execution (RCE) vulnerability on the local network
63- that is only exploitable if a non-default feature like UPnP is enabled
64- ([ CVE-2015 -20111] ( /en/2024/07/03/disclose_upnp_rce/ ) ).
65- * A peer could hinder block propagation by sending mutated blocks, delaying the
66- reception of new blocks for a node
67- ([ CVE-2024 -52921] ( /en/2024/10/08/disclose-mutated-blocks-hindering-propagation/ ) ).
68- * An attacker announcing a block to a node and then failing to provide it,
69- causing the victim node to wait for up to 10 minutes before being able to
70- fetch it from another peer
71- ([ CVE-2024 -52922] ( /en/2024/11/05/cb-stall-hindering-propagation/ ) ).
72-
73- ### Low
74-
75- Bugs that are challenging to exploit or have a minor impact on a node's
76- operation. They might only be triggerable under non-default configurations or
77- from the local network, and do not pose an immediate or widespread threat.
78-
79- Examples:
80- * A malformed ` getdata ` message could cause a peer connection to enter an
81- infinite loop, consuming CPU but not affecting the node's ability to process
82- blocks or handle other peer connections
83- ([ CVE-2024 -52920] ( /en/2024/07/03/disclose-getdata-cpu/ ) ).
84- * A bug in a dependency that could crash a node, but only if a non-default
85- feature like UPnP is enabled
86- ([ CVE-2024 -52917] ( /en/2024/07/31/disclose-upnp-oom/ ) ).
87- * A bug that could crash a node, but is extremely difficult to exploit
88- ([ CVE-2024 -52919] ( /en/2025/04/28/disclose-cve-2024-52919/ ) ).
89-
90- ---
22+ * ** Critical** : Bugs that threaten the fundamental security and integrity of the entire Bitcoin
23+ network. These are bugs that allow for coin theft at the protocol level, the
24+ creation of coins outside of the specified issuance schedule, or permanent,
25+ network-wide chain splits.
26+ <details markdown =" 1 " >
27+
28+ <summary >
29+ Examples
30+ </summary >
31+
32+ * A bug allowing inflating the money supply by spending the same transaction
33+ output twice within a block ([ CVE-2018 -17144] ( /en/2018/09/20/notice/ ) ).
34+ * A consensus failure where nodes running older software rejected a block that
35+ newer software accepted due to an underlying database limit, causing a
36+ network-wide chain split ([ BIP
37+ 50] ( https://github.com/bitcoin/bips/blob/master/bip-0050.mediawiki ) ).
38+
39+ </details >
40+ * ** High** : Bugs with a significant impact on affected nodes or the network. These are
41+ typically exploitable remotely under default configurations and can cause
42+ widespread disruption.
43+ <details markdown =" 1 " >
44+
45+ <summary >
46+ Examples
47+ </summary >
48+
49+ * A remotely triggerable crash that could take many nodes offline
50+ ([ CVE-2024 -35202] ( /en/2024/10/08/disclose-blocktxn-crash/ ) ).
51+ * A denial-of-service attack that causes a node to stall for an extended
52+ period, preventing it from processing new transactions and blocks
53+ ([ CVE-2024 -52914] ( /en/2024/07/03/disclose-orphan-dos/ ) ).
54+ * A memory exhaustion vulnerability that could be triggered remotely to crash
55+ nodes by having them store an excessive amount of block headers
56+ ([ CVE-2019 -25220] ( /en/2024/09/18/disclose-headers-oom/ ) ).
57+
58+ </details >
59+ * ** Medium** : Bugs that can noticeably degrade the network's or a node's performance or
60+ functionality, but are limited in their scope or exploitability. These might
61+ require special conditions to trigger, such as non-default settings, or result
62+ in service degradation rather than a complete node failure.
63+ <details markdown =" 1 " >
64+
65+ <summary >
66+ Examples
67+ </summary >
68+
69+ * A potential Remote Code Execution (RCE) vulnerability on the local network
70+ that is only exploitable if a non-default feature like UPnP is enabled
71+ ([ CVE-2015 -20111] ( /en/2024/07/03/disclose_upnp_rce/ ) ).
72+ * A peer could hinder block propagation by sending mutated blocks, delaying the
73+ reception of new blocks for a node
74+ ([ CVE-2024 -52921] ( /en/2024/10/08/disclose-mutated-blocks-hindering-propagation/ ) ).
75+ * An attacker announcing a block to a node and then failing to provide it,
76+ causing the victim node to wait for up to 10 minutes before being able to
77+ fetch it from another peer
78+ ([ CVE-2024 -52922] ( /en/2024/11/05/cb-stall-hindering-propagation/ ) ).
79+
80+ </details >
81+ * ** Low** : Bugs that are challenging to exploit or have a minor impact on a node's
82+ operation. They might only be triggerable under non-default configurations or
83+ from the local network, and do not pose an immediate or widespread threat.
84+ <details markdown =" 1 " >
85+
86+ <summary >
87+ Examples
88+ </summary >
89+
90+ * A malformed ` getdata ` message could cause a peer connection to enter an
91+ infinite loop, consuming CPU but not affecting the node's ability to process
92+ blocks or handle other peer connections
93+ ([ CVE-2024 -52920] ( /en/2024/07/03/disclose-getdata-cpu/ ) ).
94+ * A bug in a dependency that could crash a node, but only if a non-default
95+ feature like UPnP is enabled
96+ ([ CVE-2024 -52917] ( /en/2024/07/31/disclose-upnp-oom/ ) ).
97+ * A bug that could crash a node, but is extremely difficult to exploit
98+ ([ CVE-2024 -52919] ( /en/2025/04/28/disclose-cve-2024-52919/ ) ).
99+
100+ </details >
91101
92102** Low** severity vulnerabilities will be disclosed 2 weeks after the release of a major version
93103containing the fix. ** Medium** and ** High** severity vulnerabilities will be disclosed 2 weeks after
0 commit comments