cbcvebase.

Bitcoin Core vulnerabilities

52 known vulnerabilities affecting bitcoin/bitcoin_core.

Total CVEs
52
CISA KEV
0
Public exploits
0
Exploited in wild
3
Severity breakdown
HIGH26MEDIUM26

Vulnerabilities

Page 1 of 3
CVE-2023-50428P2MEDIUMCVSS 5.3Exploited≥ 0.9, ≤ 26.02023-12-09
CVE-2023-50428 [MEDIUM] CVE-2023-50428: In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits ca In Bitcoin Core through 26.0 and Bitcoin Knots before 25.1.knots20231115, datacarrier size limits can be bypassed by obfuscating data as code (e.g., with OP_FALSE OP_IF), as exploited in the wild by Inscriptions in 2022 and 2023. NOTE: although this is a vulnerability from the perspective of the Bitcoin Knots project, some others consider it "not a bug."
nvd
CVE-2023-33297P2HIGHCVSS 7.5Exploitedfixed in 24.12023-05-22
CVE-2023-33297 [HIGH] CWE-400 CVE-2023-33297: Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service Bitcoin Core before 24.1, when debug mode is not used, allows attackers to cause a denial of service (e.g., CPU consumption) because draining the inventory-to-send queue is inefficient, as exploited in the wild in May 2023.
nvd
CVE-2018-17144P3HIGHCVSS 7.5Exploited≥ 0.14.0, < 0.14.3≥ 0.15.0, < 0.15.2+1 more2018-09-19
CVE-2018-17144 [HIGH] CVE-2018-17144: Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
nvd
CVE-2021-3195P3HIGHCVSS 7.5≤ 0.21.02021-01-26
CVE-2021-3195 [HIGH] CWE-20 CVE-2021-3195: bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outsi bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call. NOTE: this reportedly does not violate the security model of Bitcoin Core, but can violate the security model of a fork that has implemented dumpwallet restrictions
nvd
CVE-2024-52912P3HIGHCVSS 7.5fixed in 0.21.02024-11-18
CVE-2024-52912 [HIGH] CWE-190 CVE-2024-52912: Bitcoin Core before 0.21.0 allows a network split that is resultant from an integer overflow (calcul Bitcoin Core before 0.21.0 allows a network split that is resultant from an integer overflow (calculating the time offset for newly connecting peers) and an abs64 logic bug.
nvd
CVE-2010-5139P3HIGHCVSS 7.5≤ 0.3.10v0.3.4+2 more2012-08-06
CVE-2010-5139 [HIGH] CWE-189 CVE-2010-5139: Integer overflow in wxBitcoin and bitcoind before 0.3.11 allows remote attackers to bypass intended Integer overflow in wxBitcoin and bitcoind before 0.3.11 allows remote attackers to bypass intended economic restrictions and create many bitcoins via a crafted Bitcoin transaction.
nvd
CVE-2019-15947P3HIGHCVSS 7.5v0.18.02019-09-05
CVE-2019-15947 [HIGH] CWE-312 CVE-2019-15947: In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it ma In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted in memory. Upon a crash, it may dump a core file. If a user were to mishandle a core file, an attacker can reconstruct the user's wallet.dat file, including their private keys, via a grep "6231 0500" command.
nvd
CVE-2018-17145P3HIGHCVSS 7.5≥ 0.16.0, < 0.16.22020-09-10
CVE-2018-17145 [HIGH] CWE-400 CVE-2018-17145: Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of serv Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16.2 allow remote denial of service via a flood of multiple transaction inv messages with random hashes, aka INVDoS. NOTE: this can also affect other cryptocurrencies, e.g., if they were forked from Bitcoin Core after 2017-11-15.
nvd
CVE-2017-12842P3HIGHCVSS 7.5fixed in 0.14.02020-03-16
CVE-2017-12842 [HIGH] CWE-20 CVE-2017-12842: Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to Bitcoin Core before 0.14 allows an attacker to create an ostensibly valid SPV proof for a payment to a victim who uses an SPV wallet, even if that payment did not actually occur. Completing the attack would cost more than a million dollars, and is relevant mainly only in situations where an autonomous system relies solely on an SPV proof for transactio
nvd
CVE-2025-54604P3HIGHCVSS 7.5fixed in 30.02025-10-28
CVE-2025-54604 [HIGH] CWE-400 CVE-2025-54604: Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2). Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 1 of 2).
nvd
CVE-2025-54605P3HIGHCVSS 7.5fixed in 30.02025-10-28
CVE-2025-54605 [HIGH] CWE-400 CVE-2025-54605: Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2). Bitcoin Core through 29.0 allows Uncontrolled Resource Consumption (issue 2 of 2).
nvd
CVE-2016-10724P3HIGHCVSS 7.5fixed in 0.13.02018-07-05
CVE-2016-10724 [HIGH] CWE-400 CVE-2016-10724: Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote net Bitcoin Core before v0.13.0 allows denial of service (memory exhaustion) triggered by the remote network alert system (deprecated since Q1 2016) if an attacker can sign a message with a certain private key that had been known by unintended actors, because of an infinitely sized map. This affects other uses of the codebase, such as Bitcoin Knots before
nvd
CVE-2025-46597P3HIGHCVSS 7.5≥ 0.13.0, < 0.30.02026-03-20
CVE-2025-46597 [HIGH] CWE-190 CVE-2025-46597: Bitcoin Core 0.13.0 through 29.x has an integer overflow. Bitcoin Core 0.13.0 through 29.x has an integer overflow.
nvd
CVE-2012-1910P3HIGHCVSS 7.5v0.5.0v0.5.1+2 more2012-08-06
CVE-2012-1910 [HIGH] CVE-2012-1910: Bitcoin-Qt 0.5.0.x before 0.5.0.5; 0.5.1.x, 0.5.2.x, and 0.5.3.x before 0.5.3.1; and 0.6.x before 0. Bitcoin-Qt 0.5.0.x before 0.5.0.5; 0.5.1.x, 0.5.2.x, and 0.5.3.x before 0.5.3.1; and 0.6.x before 0.6.0rc4 on Windows does not use MinGW multithread-safe exception handling, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted Bitcoin protocol messages.
nvd
CVE-2020-14198P3HIGHCVSS 7.5v0.20.02020-09-10
CVE-2020-14198 [HIGH] CVE-2020-14198: Bitcoin Core 0.20.0 allows remote denial of service. Bitcoin Core 0.20.0 allows remote denial of service.
nvd
CVE-2016-10725P3HIGHCVSS 7.5fixed in 0.13.02018-07-05
CVE-2016-10725 [HIGH] CWE-310 CVE-2016-10725: In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which In Bitcoin Core before v0.13.0, a non-final alert is able to block the special "final alert" (which is supposed to override all other alerts) because operations occur in the wrong order. This behavior occurs in the remote network alert system (deprecated since Q1 2016). This affects other uses of the codebase, such as Bitcoin Knots before v0.13.0.knots
nvd
CVE-2010-5141P3HIGHCVSS 7.5≤ 0.3.42012-08-06
CVE-2010-5141 [HIGH] CWE-264 CVE-2010-5141: wxBitcoin and bitcoind before 0.3.5 do not properly handle script opcodes in Bitcoin transactions, w wxBitcoin and bitcoind before 0.3.5 do not properly handle script opcodes in Bitcoin transactions, which allows remote attackers to spend bitcoins owned by other users via unspecified vectors.
nvd
CVE-2024-52914P3HIGHCVSS 7.5fixed in 0.18.02024-11-18
CVE-2024-52914 [HIGH] CWE-770 CVE-2024-52914: In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a cr In Bitcoin Core before 0.18.0, a node could be stalled for hours when processing the orphans of a crafted unconfirmed transaction.
nvd
CVE-2023-37192P3HIGHCVSS 7.5v22.02023-07-07
CVE-2023-37192 [HIGH] CWE-311 CVE-2023-37192: Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored se Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app's memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.
nvd
CVE-2024-35202P3HIGHCVSS 7.5fixed in 25.02024-10-10
CVE-2024-35202 [HIGH] CWE-770 CVE-2024-35202: Bitcoin Core before 25.0 allows remote attackers to cause a denial of service (blocktxn message-hand Bitcoin Core before 25.0 allows remote attackers to cause a denial of service (blocktxn message-handling assertion and node exit) by including transactions in a blocktxn message that are not committed to in a block's merkle root. FillBlock can be called twice for one PartiallyDownloadedBlock instance.
nvd
Bitcoin Core vulnerabilities | cvebase